Google developers have released Chrome version 86.0.4240.183 for Windows, Mac and Linux, which fixed 10 different problems. The update also includes a patch for a 0-day vulnerability in Google Chrome, which hackers are already actively using.
The bug was identified as CVE-2020-16009 and was discovered by the Threat Analysis Group (TAG), Google’s internal security team dedicated to tracking attackers and their ongoing operations.
So far, details about the vulnerability and its exploitation have not been disclosed. It is worth noting that this is a common practice for Google: the company’s specialists can “keep silent” for months on the technical details of bugs in order not to give cybercriminals hints and allow users to install updates calmly.
I must say that two weeks ago, Google experts fixed another 0-day vulnerability in their browser. The error was also discovered internally by Google Project Zero specialists. It was identified as CVE-2020-15999 and was associated with the FreeType font rendering library that comes with standard Chrome distributions. It is known that the bug is associated with a violation of the integrity of information in memory.
Let me remind you that CVE-2020-15999 was used in conjunction with another 0-day vulnerability – CVE-2020-17087, a serious bug found in the Windows kernel.
For example, a vulnerability in Chrome was used to run malicious code inside the browser, and day zero was used in Windows during the second part of the attack, which allowed attackers to leave the secure Chrome container and execute the code already at the OS level (that is, to escape from the sandbox). Microsoft is expected to fix this issue on November 10th as part of Patch Tuesday.
