Google patches Chrome zero-day under attack

Google has rolled out an update to its Chrome web browser that fixes five security flaws, including a vulnerability that is known to be actively exploited by attackers.

“Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild,” said Google about the zero-day flaw in FreeType, a widely used software development library that is also a Chrome component. The bug in this font rendering library affects the browser versions for Windows, macOS, and Linux.

The flaw, classified as high-severity, was reported by Sergei Glazunov, a member of Google’s Project Zero, on October 19^th, with the update released soon after. Details about the zero-day remain sparse, although Google did disclose that the memory-corruption flaw causes heap buffer overflow in FreeType. Heap overflows are known to cause data corruption or unexpected behavior on a system and may give an attacker "the keys to the kingdom".

“This is an emergency release, fixing a severe vulnerability in embedded PNG bitmap handling... All users should update immediately,” reads the message on the FreeType website.

Ben Hawkes, the technical lead at Project Zero, tweeted that although the team only noticed an exploit targeting Chrome, those using FreeType should also patch their systems using the software library’s emergency fix, lest they be targeted by cybercriminals rushing to exploit the loophole. He also addressed concerns about whether the zero-day might also affect Chrome for Android.

The update also patched four other vulnerabilities, with three of them considered high- and one medium-severity bugs.

If you have automatic updates enabled, your browser should update to the latest 86.0.4240.111 version by itself. However, if you haven’t enabled this option, you’ll have to do it yourself via the About Google Chrome section, which is located under Help in the side menu.

UPDATE (November 2nd, 2020):

As we wrote in another article, the flaw is apparently being exploited in conjunction with another zero-day, which affects the Windows Kernel Cryptography Driver (cng.sys).