Google

In order to fix numerous bugs in the Chrome browser, Google has released fixes, including two that are deliberately used in attacks.

For a total of seven bugs, all of which have a severity ranking of extreme, Chrome 86.0.4240.183 for Windows , macOS, and Linux are moved into the stable channel with fixes.

Bugs include CVE-2020-16004 (use after free in the user interface), CVE-2020-16005 (failure to apply regulation in ANGLE), CVE-2020-16006 (failure to introduce in V8), CVE-2020-16007 (failure to validate data in the installer), CVE-2020-16008 (WebRTC stack buffer overflow), and CVE-2020-16011 (Windows UI inexpensive buffer overflow).

CVE-2020-16009 is the seventh of the vulnerabilities, defined as improper implementation in the V8 JavaScript engine. Google warns that in the wild, an exploit for the defect already exists.

The zero-day flaw, discovered by Clement Lecigne of Google’s Threat Research Division and Samuel Groß of the Project Zero team, can be abused to corrupt memory with a constructed HTML page and ultimately achieve arbitrary code execution.

An attacker will have to deceive the user into visiting the malicious website to exploit the bug. In fact, by having a user to visit a malicious website, all of these bugs can be abused for code execution or device compromise.

Google released fixes for other high-severity bugs in Chrome less than two weeks ago, including CVE-2020-15999, an aggressively abused FreeType zero-day bug.

Google has confirmed this week the release of a fix for CVE-2020-16010, a Chrome for Android high-severity bug, which has also been abused in the wild.

The problem was discovered by Maddie Stone, Mark Brand, and Sergei Glazunov of Google Project Zero, a heap buffer overflow in the UI on Android. The bug is solved by Chrome 86.0.4240.185 for Android.

Chrome-vulnerabilities-exploited

Ben Hawkes of Google Project Zero noted on Twitter that last week, both vulnerabilities were found.Google said it awarded the researchers who found the newly resolved bugs $36,000 in bug bounty incentives. However, the company did not include information on the sums charged for CVE-2020-16008 and states that the two deliberately abused vulnerabilities were not given a bounty.