Google has patched two zero-day vulnerabilities in its Chrome browser, the third time in two weeks the company has fixed a Chrome security vulnerability that is being actively exploited.
Hawkes did not provide additional insights, such as which desktop version of Chrome is actively targeted, who the victims are, or how long the attacks have been around. It is also not clear whether the same attacker group is responsible for all three exploits. CVE-2020-16009 was partly discovered by a member of the Google Threat Analysis Team, which focuses on government-backed hacking, suggesting that exploiting that security vulnerability could be work of a country. Project Zero was involved in exploring all three of 0 days.
The updates come two weeks after Google fixed CVE-2020-15999, a vulnerability actively exploited in Freetype, which Chrome and non-Google apps use to render fonts. To gain code execution capabilities, the hacker combined the exploit with a separate tool that targeted the currently unpatched bug in Windows 10 and Windows 7.
The desktop versions of Chrome usually update automatically. That means, for most users, patches for CVE-2020-16009 and CVE-2020-15999 have been installed, as long as they have recently restarted their browser. Chrome for Android is updated through Google Play. The Chrome Android advisor says the fix is integrated into version 86.0.4240.185. The message continues to say the update will be available “in the next few weeks”, but the phone I check (Pixel) has the update installed.