Connect with us

Hi, what are you looking for?


New Chrome 0-day Under Active Attacks – Update Your Browser Now


New Chrome 0-day Under Active Attacks – Update Your Browser Now

Consideration readers, in case you are utilizing Google Chrome browser in your Home windows, Mac, or Linux computer systems, that you must replace your internet searching software program instantly to the newest model Google launched earlier at the moment.

Google launched Chrome model 86.0.4240.111 at the moment to patch a number of safety high-severity points, together with a zero-day vulnerability that has been exploited within the wild by attackers to hijack focused computer systems.

Tracked as CVE-2020-15999, the actively exploited vulnerability is a sort of memory-corruption flaw referred to as heap buffer overflow in Freetype, a well-liked open supply software program improvement library for rendering fonts that comes packaged with Chrome.

The vulnerability was found and reported by safety researcher Sergei Glazunov of Google Challenge Zero on October 19 and is topic to a seven-day public disclosure deadline as a result of flaw being underneath energetic exploitation.

Glazunov additionally instantly reported the zero-day vulnerability to FreeType builders, who then developed an emergency patch to deal with the difficulty on October 20 with the discharge of FreeType 2.10.4.

With out revealing technical particulars of the vulnerability, the technical lead for Google’s Challenge Zero Ben Hawkes warned on Twitter that whereas the crew has solely noticed an exploit focusing on Chrome customers, it is potential that different tasks that use FreeType may also be weak and are suggested to deploy the repair included in FreeType model 2.10.4.

New Chrome 0-day Under Active Attacks – Update Your Browser Now

“Whereas we solely noticed an exploit for Chrome, different customers of freetype ought to undertake the repair mentioned right here: — the repair can also be in at the moment’s secure launch of FreeType 2.10.4,” Hawkes writes.

In line with particulars shared by Glazunov, the vulnerability exists within the FreeType’s operate “Load_SBit_Png,” which processes PNG photos embedded into fonts. It may be exploited by attackers to execute arbitrary code simply by utilizing particularly crafted fonts with embedded PNG photos.

“The difficulty is that libpng makes use of the unique 32-bit values, that are saved in `png_struct`. Due to this fact, if the unique width and/or peak are higher than 65535, the allotted buffer will not have the ability to match the bitmap,” Glazunov defined.

Glazunov additionally revealed a font file with a proof-of-concept exploit.

Google launched Chrome 86.0.4240.111 as Chrome’s “secure” model, which is accessible to all customers, not simply to opted-in early adopters, saying that the corporate is conscious of studies that “an exploit for CVE-2020-15999 exists within the wild,” however didn’t reveal additional particulars of the energetic assaults.

In addition to the FreeType zero-day vulnerability, Google additionally patched 4 different flaws within the newest Chrome replace, three of that are high-risk vulnerabilities—an inappropriate implementation bug in Blink, a use after free bug in Chrome’s media, and use after free bug in PDFium—and one medium-risk use after free situation in browser’s printing operate.

Though the Chrome internet browser mechanically notifies customers concerning the newest accessible model, customers are beneficial to manually set off the replace course of by going to “Assist → About Google Chrome” from the menu.


You May Also Like


Introduction In previous articles we have talked about images of dockers, the origin and functioning of dockers and the dockers’ hub. In this document...


Linux desktops are good in many ways, but like Windows they are not known as the most efficient battery. This does not mean that...


The United States Supreme Court has indicated that it will finally solve a problem that has been causing legal problems for almost two decades:...


Website hosting is similar to renting a virtual property, but the information about each website is also stored in a physical location (data center)....