Google released a security update today for its Chrome web browser, a ten-piece security fix, including a zero-day vulnerability that is currently actively exploited.
Identified as CVE-2020-16009The zero-day was discovered by the Google Threat Analysis Team (TAG), a security team at Google that keeps track of threat actors and their ongoing activities.
In typical Google fashion, the zero-day details and bug exploits have not been made public – as a way to give Chrome users more time to install updates and stop them. Other threat multipliers develop their own exploits for the same zero-day.
Chrome users should update their browser to version 86.0.4240.183 or higher.
No second day for two weeks
This is the second Chrome zero-day that Google has discovered exploited in the wild in the past two weeks.
On October 20, Google also released a security update for Chrome to fix the bug CVE-2020-15999, a date is not in Chrome’s FreeType font rendering library.
As Google revealed last week on Friday, this Chrome zero-day is already in use alongside Windows zero-day (CVE-2020-17087).
Chrome zero-day is used to execute malicious code within Chrome, while Windows zero-day is used to elevate code privileges and attack the underlying Windows operating system. Microsoft is expected to fix this zero-day on November 10, in the company’s next Tuesday patch release.
Google doesn’t make it clear whether these two zero days have been abused by the same threat agent.