Google Security Researchers Discover Zero-Day Exploit In Chrome And Chrome OS
Google’s recently released versions of Chrome and Chrome OS had a bit of an Achilles heel: a rather pesky zero-day vulnerability that could corrupt the system’s memory from the browser or OS. The bug has been given CVE-2020-15999, but has not even been given an official score yet. Google gives the exploit a "high" level of criticality, and it has already been found in the wild, so users need to patch their systems ASAP.
CVE-2020-15999 was discovered on October 19th by Sergei Glazunov at Google Project Zero. The Project Zero team is tasked with finding zero-day exploits in Googles's own products (and competitors), and with this bug, the team found issues with FreeType, the open-source font rendering library. Ben Hawkes, manager for Project Zero, tweeted an announcement of the discovery when it first came out.
Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome. A stable release that fixes this issue (CVE-2020-15999) is available here: https://t.co/ZRQe72Qfkh
— Ben Hawkes (@benhawkes) October 20, 2020
In a FreeType update, the developers explained the issue as “a severe vulnerability in embedded PNG bitmap handling.” This handling would lead to a heap buffer overflow that could topple system memory. The Project Zero team also reported that “an exploit for CVE-2020-15999 exists in the wild.” This should not be a big deal, though, as it is easy to mitigate.
A couple of days ago, an update for Chrome began to roll out to solve the issue. Today, Google finally updated Chrome OS to 86.0.4240.112, which also fixes the problem for Chromebooks. However, any other service that uses the afflicted Freetype code may be vulnerable, and those services would need to be updated. This is why it is crucial to update early and update often to be less vulnerable to zero-day exploits.
