Google Patches Chrome's Third Zero-Day Vulnerability

Google Patches Chrome's Third Zero-Day Vulnerability


Google has recently released another security update for the Android Chrome browser in order to fix a particular zero-day vulnerability that is currently the subject of exploitation. The Android Chrome version 86.0.4240.185 was previously released according to the official Google blog and it included fixes for the particular CVE-2020-16010 which is a heap buffer overflow vulnerability located in the Chrome for the Android user interface or UI component.

Google’s statements on Chrome Zero-Day Exploit

Google stated that the bug was then exploited in order to allow certain attackers to be able to bypass as well as escape the standard Chrome security sandbox programmed on Android devices and also run certain codes on the given underlying OS. The details about the recent attack were not yet made public as the user install the said updates. It also prevent other possible threat factors from developing the given exploits for the very same zero-day.

Google credits the internal Threat Analysis Group or TAG team for being the ones to discover the Android Chrome zero-day attacks. This then marks the third Chrome zero-day that was discovered by the official TAG team during the past two weeks. During the first two zero-days, only the Chrome for desktop versions were reportedly affected.

The Google Chrome vulnerability was exposed to be CVE-2020-15999

The first problem was patched back on October 20 and it was tracked as the CVE-2020-15999. This reportedly only affected Chrome’s own FreeType font rendering library. During a follow-up report released last week, Google stated that the very first Chrome zero-day was actually utilized together with the Windows zero-day, according to an article by ZDNet.

The first Chrome zero-day was supposedly part of a particular two-step exploit chain. Now, with the Chrome zero-day allowing certain attackers to execute some malicious code located inside the Chrome, the attackers are able to target the underlying Windows OS. This is done while the Windows zero-day was first used to elevate the said code’s privileges.

Read Also: Russian Hacker Who Stole at Least $100 Million Now in Jail

This was not the first zero-day experienced by Google

To top this off, Google has also patched the second zero-day just yesterday and were able to track it as CVE-2020-16009. This zero-day was described to be a remote code execution done in the Chrome V8 JavaScript engine.

Just hours after the official Chrome team released the first patches for the said second zero-day, Google then revealed the third zero-day that would only impact its Android Chrome version. While all of the three zero-days are all said to be quite different from one another, the impact has also reportedly hit different Chrome components and versions. Google, however, did not clarify if every one of the zero-days are being exploited all by the very same threat actor or being exploited by multiple groups.

Related Article: Warning: Malicious JavaScript Library Posing as Twilio-Related Libraries Opens Vulnerabilities to Programmers’ Computer

This article is owned by Tech Times

Written by Urian Buenconsejo

ⓒ 2018 All rights reserved. Do not reproduce without permission.