Google fixes the second zero-day in Chrome in 2 weeks actively exploited

Google released Chrome 86.0.4240.183 for Windows, Mac, and Linux to fix 10 security vulnerabilities, including an RCE zero-day exploited in the wild.

Google has released Chrome 86.0.4240.183 for Windows, Mac, and Linux that address ten security vulnerabilities including a remote code execution (RCE) zero-day (CVE-2020-16009) exploited by threat actors in the wild.

The RCE is an inappropriate implementation in V8, which is Google’s open-source and C++ based high-performance WebAssembly and JavaScript engine.

The zero-day flaw was discovered on October 29, 2020 by Google white-hat hacker Samuel Groß of Google Project Zero and  Clement Lecigne of Google’s Threat Analysis Group.

Google revealed that it is aware of the availability of an exploit for CVE-2020-16009 in the wild, anyway the tech giant did provide any details about the attackers that are exploiting it in the wild.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.“ reads the advisory published by Google. “Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild.”

Google addressed another zero-day sandbox escape flaw, tracked as CVE-2020-16010, that affects Chrome for Android which is also exploited in attacks in the wild.

Below the remaining high severity security vulnerabilities addressed with the release of Chrome 86.0.4240.183:

[$15000][1138911] High CVE-2020-16004: Use after free in user interface. Reported by Leecraso and Guang Gong of 360 Alpha Lab working with 360 BugCloud on 2020-10-15
[$15000][1139398] High CVE-2020-16005: Insufficient policy enforcement in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2020-10-16
[$5000][1133527] High CVE-2020-16006: Inappropriate implementation in V8. Reported by Bill Parks on 2020-09-29
[$1000][1125018] High CVE-2020-16007: Insufficient data validation in installer. Reported by Abdelhamid Naceri (halov) on 2020-09-04
[$TBD][1134107] High CVE-2020-16008: Stack buffer overflow in WebRTC. Reported by Tolya Korniltsev on 2020-10-01
[$NA][1143772] High CVE-2020-16009: Inappropriate implementation in V8. Reported by Clement Lecigne of Google’s Threat Analysis Group and Samuel Groß of Google Project Zero on 2020-10-29
[$NA][1144489] High CVE-2020-16011: Heap buffer overflow in UI on Windows. Reported by Sergei Glazunov of Google Project Zero on 2020-11-01

CVE-2020-16009 is the second zero-day discovered in Chrome that was actively exploited in the wild in the past two weeks.

Security researchers from Google have disclosed a zero-day vulnerability in the Windows operating system, tracked as CVE-2020-17087, that is currently under active exploitation.

Ben Hawkes, team lead for Google Project Zero team, revealed on Twitter that the vulnerability was chained with another Chrome zero-day flaw, tracked as CVE-2020-15999, that Google recently disclosed.

Google researchers expect a patch for this zero-day flaw to be available on November 10. The Director of Google’s Threat Analysis Group, Shane Huntley (@ShaneHuntley), confirmed that the vulnerability was exploited in targeted attacks that are not related to the forthcoming US election.

Google did not provide info on the attackers that have already exploited the flaw, but experts speculate that they were nation-state actors.

The Chrome zero-day is a sandbox escape issue, it allows attackers to escape Chrome’s secure container and run code on the underlying operating system.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Chrome zero-day)

[adrotate banner=”5″]

[adrotate banner=”13″]