Google developers have released Chrome version 86.0.4240.183, patching another zero-day that has already been actively exploited. Overall, Update fixes ten different security holes in Chrome for Mac, Windows, and Linux.
The bug was identified as CVE-2020-16009 is said to be an “incorrect implementation” in Chrome’s web assembly and Javascript engine V8. A heap memory error can be exploited via a prepared HTML website, and code can be executed remotely.
Zero-day was discovered on October 29th by Clement Lecigne from Google’s Threat Analysis Group and Samuel Groß from the Google Project Zero.
So far, details about the vulnerability and its exploitation have not been disclosed. It is worth noting that this is a common practice for Google — the company’s specialists can “keep silent” for months on the technical details of bugs so as not to give cybercriminals hints and allow users to install updates calmly.
This is the second Chrome zero-day vulnerability that Google fixes in two weeks. Two weeks ago, Google closed another zero-day in the browser that was already being actively used. The security hole in the Freetype library used by Chrome / Chromium enabled malicious code to be executed within the browser.
To break out of this, the intruders used another, as yet unsolved security hole in the Windows kernel. Google reported this to Microsoft about ten days ago and published it a few days ago. Microsoft is currently working on a fix.
It is not yet known whether the zero-day now closed in Chrome/Chromium was also used in combination with the existing kernel security hole in Windows. This so-called chaining of security holes is not uncommon.
