The memory-corruption vulnerability exists in the browser’s FreeType font rendering library.
Google unveiled an update to its Chrome browser that patches a zero-working day vulnerability in the software’s FreeType font rendering library that was actively getting exploited in the wild.
Security researcher Sergei Glazunov of Google Undertaking Zero learned the bug which is categorized as a sort of memory-corruption flaw known as a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Monday. Project Zero is an interior security workforce at the organization aimed at obtaining zero-working day vulnerabilities.
By Tuesday, Google previously had unveiled a secure channel update, Chrome edition 86..4240.111, that deploys 5 security fixes for Windows, Mac & Linux–among them a correct for the zero-working day, which is currently being tracked as CVE-2020-15999 and is rated as significant risk.
“Google is informed of experiences that an exploit for CVE-2020-15999 exists in the wild,” Prudhvikumar Bommana of the Google Chrome workforce wrote in a weblog post announcing the update Tuesday. Google did not expose even further facts of the active attacks that researchers noticed.
Andrew R. Whalley, a member of the Chrome security staff, gave his workforce kudos on Twitter for the “super-fast” reaction to the zero-day.
Nonetheless, Ben Hawkes, technical guide for the Project Zero crew, warned that though Google researchers only observed the Chrome exploit, it is possible that other implementations of FreeType might be vulnerable as nicely given that Google was so fast in its reaction to the bug. He referred customers to a take care of by Glazunov posted on the FreeType Undertaking web page and urged them to update other possibly susceptible software program.
“The fix is also in today’s steady launch of FreeType 2.10.4,” Hawkes tweeted.
In the meantime, security researchers took to Twitter to inspire individuals to update their Chrome browsers instantly to stay clear of falling target to attackers aiming to exploit the flaw.
“Make certain you update your Chrome right now! (restart it!),” tweeted London-based mostly application security expert Sam Stepanyan.
In addition to the FreeType zero day, Google patched 4 other bugs—three of high risk and just one of medium risk–in the Chrome update introduced this week.
The superior-risk vulnerabilities are: CVE-2020-16000, described as “inappropriate implementation in Blink” CVE-2020-16001, described as “use after cost-free in media” and CVE-2020-16002, described as “use soon after cost-free in PDFium,” according to the blog write-up. The medium-risk bug is remaining tracked as CVE-2020-16003, explained as “use immediately after free of charge in printing,” Bommana wrote.
So much in the past 12 months Google has patched a few zero-working day vulnerabilities in its Chrome browser. Prior to this week’s FreeType disclosure, the to start with was a critical remote code execution vulnerability patched very last Halloween night time and tracked as CVE-2019-13720, and the second was a style of memory confusion bug tracked as CVE-2020-6418 that was fastened in February.
Some parts of this article are sourced from: