Critical Update Required for Google Chrome Users: Zero-Day Vulnerability Exploited
Business owners and professionals using Google Chrome on Windows, Mac, or Linux systems are urged to update their browsers immediately. On October 20, Google rolled out version 86.0.4240.111, addressing multiple high-severity security vulnerabilities, including an urgent zero-day flaw that has been actively exploited.
The vulnerability, identified as CVE-2020-15999, is a memory-corruption vulnerability related to a heap buffer overflow in FreeType, an open-source library used within Chrome for font rendering. This exploitation has the potential for serious damage, as it allows attackers to hijack targeted systems, raising significant security concerns for businesses and individuals alike.
Security researcher Sergei Glazunov from Google Project Zero discovered and reported this vulnerability on October 19. Given its active exploitation, it was disclosed to the public under a tight seven-day deadline following its detection. Glazunov not only flagged the issue to Google but also informed FreeType developers, resulting in an emergency patch released just a day later on October 20.
While Google has confirmed that they identified an exploit specifically targeting Chrome, it is advisable for other applications utilizing FreeType to adopt the fixes included in version 2.10.4. The implications of this vulnerability may extend beyond Chrome, suggesting that other projects leveraging FreeType could also be at risk.
In a communication posted on Twitter, Ben Hawkes, technical lead for Google’s Project Zero, emphasized the importance of the fix available in FreeType 2.10.4. He urged system administrators to consider the broader vulnerabilities tied to this library, especially in light of the exploitation risks involved.
Glazunov’s insights shed light on the specifics of the flaw, particularly within FreeType’s “Load_SBit_Png” function, which processes embedded PNG images in fonts. Attackers could exploit this flaw through specially crafted fonts, enabling them to execute arbitrary code — a serious breach that could compromise organizational data integrity.
In addition to addressing the FreeType zero-day vulnerability, Google has patched four other security issues in the recent Chrome update. Among these are three high-risk vulnerabilities involving inappropriate implementations tied to the Blink rendering engine, and media handling, as well as a medium-risk vulnerability related to the browser’s printing function.
As cyber threats evolve, it remains critical for users to ensure they are on the latest version of software. Although Google Chrome typically notifies users automatically, it is recommended that users manually navigate to “Help → About Google Chrome” to trigger the update process and bolster their defense against potential attacks.
As this incident highlights, organizations leveraging web technologies must remain vigilant and proactive in their cybersecurity practices. Utilizing frameworks like the MITRE ATT&CK Matrix can aid businesses in assessing the tactics and techniques potentially employed during such attacks, including initial access strategies and privilege escalation methods.
Awareness and timely action are paramount in mitigating the risks associated with evolving cyber threats. The active exploitation of high-severity vulnerabilities underscores the need for constant vigilance in cybersecurity protocols, particularly in an increasingly digital business landscape.
