On Wednesday, search engine behemoth Google released Chrome version 86.0.4240.198 to fix two zero-day flaws that were used aggressively.

These two vulnerabilities mark the fourth and fifth zero-days that the search engine giant has fixed in Chrome over the last couple of weeks.

The difference, however, this time is that while the first three zero-days were revealed internally by Google security investigators, these two new zero-days came to Google’s attention after instructions from unidentified sources.

As per the Chrome 86.0.4240.198 changelog, the two zero-days are pursued and defined as follows:

CVE-2020-16013 – Described as an “inappropriate implementation in V8,” where V8 is the Chrome component that deals with JavaScript code.

CVE-2020-16017 – Described as a “use after free” memory corruption bug in Site Isolation, the Chrome module that separates each site’s data from one another.

It is presently indefinite if the two flaws have been used together, or used separately. The first one was reported on Monday, while the second was reported earlier today, on Wednesday.

These two zero-days come after Google also patched:

CVE-2020-15999 – a zero-day in Chrome’s FreeType font version library that Google patched on October 20. This Chrome zero-day was exploited together with a Windows zero-day (CVE-2020-17087), which Microsoft repaired Tuesday.

CVE-2020-16009 – a second zero-day, also in Chrome’s V8 JavaScript engine, which Google fixed on November 2.

CVE-2020-16010 – a third zero-day, this time in Chrome for Android, affecting the browser’s user interface (UI) component.

Most zero-days are typically used in targeted attacks against a small number of selected targets, so most users shouldn’t unnecessarily panic.


Leave a Reply

Your email address will not be published. Required fields are marked *