Recently, Google released a new version of the Chrome web browser (86.0.4240.111) for Windows, Mac, and Linux, in which Google has patched a Zero-Day vulnerability that is actively exploited by the threat actors.
The security researcher at Google Project Zero, Sergei Glazunov, discovered this vulnerability which is labeled as CVE-2020-15999. This security flaw is a memory corruption vulnerability that is present in the FreeType font rendering library included with standard Chrome distributions.
The technical lead for the Google Project Zero team, Ben Hawkes, affirmed that the cybercriminals are actively using this bug in the FreeType library to attack Chrome users.
That’s why Ben has recommended manufacturers of other applications that use “FreeType” should also release fixes to avoid such exploitation. However, the patch for the vulnerability was implemented in FreeType version 2.10.4, which is already released on October 20.
New Chrome 0-Day Bug
Initially, the security researcher, Sergei Glazunov, informed Google about this 0-Day bug, on Monday and just a day later, the security flaw was fixed.
The security experts at Google Project Zero marked this flaw as critical. Also, they urged how such critical vulnerabilities should be addressed subject to a seven-day public disclosure deadline due to being under active exploitation.
Moreover, Google has not yet disclosed any details regarding this vulnerability to avoid giving any clues to the threat actors. Generally, a company do not publish any details of vulnerabilities for months, as they give users enough time to fix them.
The vulnerability exists in FreeType’s “Load_SBit_Png” function; it processes the PNG images embedded in fonts. Since the patch for this security flaw is visible in the FreeType source code; the attackers can easily reverse-engineer and develop a proper working exploit within weeks or even days.
Four other security flaws
- CVE-2020-16000: Inappropriate implementation on Blink (Reported by amaebi_jp on September 6)
- CVE-2020-16001: Use after free in the media (Reported by Khalil Zhani on October 15)
- CVE-2020-16002: Use after free in PDFium (Reported by Weipeng Jiang (@Krace) of Legendsec’s Codesafe team at Qi’anxin Group on October 13)
- CVE-2020-16003: Use after free print (Reported by Khalil Zhani on October 4)
Apart from this, it’s the third zero-day vulnerability detected in Google Chrome that is actively exploited by hackers in the past 12 months. The first flaw, “CVE-2019-13720,” was fixed in October 2019, and the second one, “CVE-2020-6418,” is fixed in February 2020.