Security News > 2020 > November > New Chrome Zero-Day Under Active Attacks – Update Your Browser
Google has patched a second actively exploited zero-day flaw in the Chrome browser in two weeks, along with addressing nine other security vulnerabilities in its latest update.
The zero-day flaw, tracked as CVE-2020-16009, was reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero on October 29.
Google hasn't made any details about the bug or the exploit used by threat actors public so as to allow a majority of users to install the updates and prevent other adversaries from developing their own exploits leveraging the flaw.
Aside from the ten security fixes for the desktop version of Chrome, Google has also addressed a separate zero-day in Chrome for Android that was being exploited in the wild - a sandbox escape flaw tracked as CVE-2020-16010.
The zero-day disclosures come two weeks after Google fixed a critical buffer overflow flaw in the Freetype font library.
News URL
http://feedproxy.google.com/~r/TheHackersNews/~3/tywlDpg-pVc/new-chrome-zero-day-under-active.html
Related news
- Google fixes two Android zero-days used in targeted attacks (source)
- Microsoft patches Windows zero-day exploited in attacks on Ukraine (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Palo Alto Networks patches two firewall zero-days used in attacks (source)
- Apple fixes two zero-days used in attacks on Intel-based Macs (source)
- Apple Patches Two Zero-Day Attack Vectors (source)
- Japan warns of IO-Data zero-day router flaws exploited in attacks (source)
- Fully patched Cleo products under renewed 'zero-day-ish' mass attack (source)
- New Cleo zero-day RCE flaw exploited in data theft attacks (source)
- Cleo patches critical zero-day exploited in data theft attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2020-11-03 | CVE-2020-16009 | Type Confusion vulnerability in multiple products Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
2020-11-03 | CVE-2020-16010 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 8.8 |