Security News > 2020 > November > 2 More Google Chrome Zero-Days Under Active Exploitation
Google is asking Chrome desktop users to prepare to update their browsers once again as two more zero-day vulnerabilities have been identified in the software.
CVE-2020-16017 is described by Google as a "Use-after-free in site isolation," which is the Chrome component that isolates the data of different sites from each other.
The latest spate of Chrome zero-day discoveries and patches started on Oct. 19, when security researcher Sergei Glazunov of Google Project Zero discovered a type of memory-corruption flaw called a heap-buffer overflow in FreeType that was being actively exploited.
Google patched two separate zero-day flaws in Google's Chrome desktop and Android-based browsers.
The desktop bug is the aforementioned V8 vulnerability, which could be used for remote code-execution discovered by researchers at Google's Threat Analysis Group and Google Project Zero.
News URL
https://threatpost.com/2-zero-day-bugs-google-chrome/161160/
Related news
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- New tool bypasses Google Chrome’s new cookie encryption system (source)
- Google: 70% of exploited flaws disclosed in 2023 were zero-days (source)
- Google to let businesses create curated Chrome Web Stores for extensions (source)
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-01-08 | CVE-2020-16017 | Use After Free vulnerability in Google Chrome Use after free in site isolation in Google Chrome prior to 86.0.4240.198 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |