Security News > 2020 > November > New Chrome Zero-Day Under Active Attacks – Update Your Browser
Google has patched a second actively exploited zero-day flaw in the Chrome browser in two weeks, along with addressing nine other security vulnerabilities in its latest update.
The zero-day flaw, tracked as CVE-2020-16009, was reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero on October 29.
Google hasn't made any details about the bug or the exploit used by threat actors public so as to allow a majority of users to install the updates and prevent other adversaries from developing their own exploits leveraging the flaw.
Aside from the ten security fixes for the desktop version of Chrome, Google has also addressed a separate zero-day in Chrome for Android that was being exploited in the wild - a sandbox escape flaw tracked as CVE-2020-16010.
The zero-day disclosures come two weeks after Google fixed a critical buffer overflow flaw in the Freetype font library.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/tywlDpg-pVc/new-chrome-zero-day-under-active.html
Related news
- Firefox Zero-Day Under Attack: Update Your Browser Immediately (source)
- Rackspace monitoring data stolen in ScienceLogic zero-day attack (source)
- Qualcomm patches high-severity zero-day exploited in attacks (source)
- Ivanti warns of three more CSA zero-days exploited in attacks (source)
- Mozilla fixes Firefox zero-day actively exploited in attacks (source)
- CISA Adds ScienceLogic SL1 Vulnerability to Exploited Catalog After Active Zero-Day Attack (source)
- Fortinet warns of new critical FortiManager flaw used in zero-day attacks (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- Fortinet FortiManager flaw exploited in zero-day attacks (CVE-2024-47575) (source)
- Google fixes two Android zero-days used in targeted attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-03 | CVE-2020-16009 | Type Confusion vulnerability in multiple products Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2020-11-03 | CVE-2020-16010 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 8.8 |