قالب وردپرس درنا توس
Home / Technology / Google fixes two more Chrome zero-days that are being actively exploited

Google fixes two more Chrome zero-days that are being actively exploited



The word ZERO-DAY is hidden between a screen filled with letters and zeros.

Google has patched two zero-day vulnerabilities in its Chrome browser, the third time in two weeks the company has fixed a Chrome security vulnerability that is being actively exploited.

According to a tweet on Monday from Ben Hawkes, head of Google̵

7;s Project Zero vulnerability research and exploitation, CVE-2020-16009, when the vulnerability was first tracked, was a remote code execution bug. in V8, Chrome’s open source JavaScript engine. The second security vulnerability, CVE-2020-16010, is a heap-based buffer overflow in Chrome for Android. Hawkes says it allows attackers to get rid of the Android sandbox, suggesting that hackers may have used it in conjunction with a separate vulnerability.

Hawkes did not provide additional insights, such as which desktop version of Chrome is actively targeted, who the victims are, or how long the attacks have been around. It is also not clear whether the same attacker group is responsible for all three exploits. CVE-2020-16009 was partly discovered by a member of the Google Threat Analysis Team, which focuses on government-backed hacking, suggesting that exploiting that security vulnerability could be work of a country. Project Zero was involved in exploring all three of 0 days.

The updates come two weeks after Google fixed CVE-2020-15999, a vulnerability actively exploited in Freetype, which Chrome and non-Google apps use to render fonts. To gain code execution capabilities, the hacker combined the exploit with a separate tool that targeted the currently unpatched bug in Windows 10 and Windows 7.

The desktop versions of Chrome usually update automatically. That means, for most users, patches for CVE-2020-16009 and CVE-2020-15999 have been installed, as long as they have recently restarted their browser. Chrome for Android is updated through Google Play. The Chrome Android advisor says the fix is ​​integrated into version 86.0.4240.185. The message continues to say the update will be available “in the next few weeks”, but the phone I check (Pixel) has the update installed.




Source link