Security News > 2020 > November > Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010)
For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile version.
The former was found and reported by Clement Lecigne of Google's Threat Analysis Group and Samuel Groß of Google Project Zero, the latter by Maddie Stone, Mark Brand, and Sergei Glazunov of Google Project Zero.
The company did not say whether these Chrome zero-days and the one fixed two weeks ago - which is exploited in conjunction with CVE-2020-17087, a Windows kernel zero-day - are being leveraged by the same attackers.
Chrome version 86.0.4240.183 for Windows, macOS and Linux is the latest stable version that contains fixes for CVE-2020-16009 and nine additional vulnerabilities.
Chrome v86.0.4240.185 for Android contains all the aforementioned fixes plus the one for CVE-2020-16010.
News URL
http://feedproxy.google.com/~r/HelpNetSecurity/~3/2g4pq1D6qsA/
Related news
- Google fixes Chrome zero-days exploited at Pwn2Own 2024 (source)
- Google fixes one more Chrome zero-day exploited at Pwn2Own (source)
- Google Chrome gets real-time phishing protection later this month (source)
- Google Introduces Enhanced Real-Time URL Protection for Chrome Users (source)
- Google: Spyware vendors behind 50% of zero-days exploited in 2023 (source)
- Miscreants are exploiting enterprise tech zero days more and more, Google warns (source)
- Zero-day exploitation surged in 2023, Google finds (source)
- Google agrees to delete Chrome browsing data of 136 million users (source)
- Google Chrome Beta Tests New DBSC Protection Against Cookie-Stealing Attacks (source)
- Google fixes two Pixel zero-day flaws exploited by forensics firms (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-11-11 | CVE-2020-17087 | Incorrect Calculation of Buffer Size vulnerability in Microsoft products Windows Kernel Local Elevation of Privilege Vulnerability | 7.8 |
| 2020-11-03 | CVE-2020-16009 | Type Confusion vulnerability in multiple products Inappropriate implementation in V8 in Google Chrome prior to 86.0.4240.183 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2020-11-03 | CVE-2020-16010 | Out-of-bounds Write vulnerability in Google Chrome Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 8.8 |