Google has patched two new zero-day vulnerabilities in its Chrome web browser, bringing to five the number of fixes for actively-exploited bugs in the browser over the past three weeks.
“Google is aware of reports that exploits for CVE-2020-16013 and CVE-2020-16017 exist in the wild,” said Google about the vulnerabilities affecting the browser's Windows, macOS, and Linux versions. Details about the security loopholes remain sparse, although the tech giant did disclose that both are classified as high-severity and were reported by external researchers who wish to remain anonymous.
One of the flaws (CVE-2020-16013) is caused by inappropriate implementation in the V8 JavaScript engine, whereas the other security hole (CVE-2020-16017) is a use-after-free memory corruption flaw located in Site Isolation, a Chrome security feature that isolates websites into sandboxes, limiting their interaction with one another.
Users would be well advised to update their browsers to the latest version (86.0.4240.198) as soon as practicable. If you have automatic updates enabled, your browser should update by itself. Otherwise, you’ll have to do it manually by navigating to the About Google Chrome section, which can be found under Help in the side menu.
A bumper crop of patches
It’s been an unusually busy season for zero-day disclosures. In October, Google patched an actively-exploited zero-day bug indexed as CVE-2020-15999 and affecting FreeType, a widely-used software library that is also a Chrome component. The flaw was being exploited as part of a chain with a Windows zero-day bug tracked as CVE-2020-17087 and residing in the Kernel Cryptography Driver, which the Redmond giant fixed as part of Patch Tuesday this week.
Early this month, Google issued another Chrome update, this time fixing two zero-day bugs. The first one, CVE-2020-16009, was found to affect the desktop version of its browser and was also caused by an inappropriate implementation in V8. The second bug, indexed as CVE-2020-16010, impacted the Android version of the browser and stemmed from a heap buffer overflow in the user interface.
Within days, Apple released updates of its own to address three bugs in iOS under active attack. These vulnerabilities, along with the earlier ones in Chrome and Windows, were all discovered by Google’s Project Zero team.