Security News > 2020 > November > Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010)
For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile version.
The former was found and reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero, the latter by Maddie Stone, Mark Brand, and Sergei Glazunov of Google Project Zero.
The company did not say whether these Chrome zero-days and the one fixed two weeks ago - which is exploited in conjunction with CVE-2020-17087, a Windows kernel zero-day - are being leveraged by the same attackers.
Chrome version 86.0.4240.183 for Windows, macOS and Linux is the latest stable version that contains fixes for CVE-2020-16009 and nine additional vulnerabilities.
Chrome v86.0.4240.185 for Android contains all the aforementioned fixes plus the one for CVE-2020-16010.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/2g4pq1D6qsA/
Related news
- New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch (source)
- Google Drops Cookie Prompt in Chrome, Adds IP Protection to Incognito (source)
- Google: 97 zero-days exploited in 2024, over 50% in spyware attacks (source)
- Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products (source)
- Google Rolls Out On-Device AI Protections to Detect Scams in Chrome and Android (source)
- Google Chrome to use on-device AI to detect tech support scams (source)
- Google Chrome to block admin-level browser launches for better security (source)
- Google fixes high severity Chrome flaw with public exploit (source)
- Google Chrome's Built-in Manager Lets Users Update Breached Passwords with One Click (source)
- Google Chrome to distrust Chunghwa Telecom, Netlock certificates in August (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-11 | CVE-2020-17087 | Incorrect Calculation of Buffer Size vulnerability in Microsoft products Windows Kernel Local Elevation of Privilege Vulnerability | 0.0 |
| 2020-11-03 | CVE-2020-16009 | Type Confusion vulnerability in multiple products Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2020-11-03 | CVE-2020-16010 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 8.8 |