Google’s recently released versions of Chrome
and Chrome OS
had a bit of an Achilles heel: a rather pesky zero-day vulnerability that could corrupt the system’s memory from the browser or OS. The bug has been given CVE-2020-15999, but has not even been given an official score yet. Google
gives the exploit a "high" level of criticality, and it has already been found in the wild, so users need to patch their systems ASAP.
was discovered on October 19th by Sergei Glazunov at Google Project Zero. The Project Zero team is tasked with finding zero-day exploits in Googles's own products (and competitors), and with this bug, the team found issues with FreeType, the open-source font rendering library. Ben Hawkes, manager for Project Zero, tweeted an announcement of the discovery when it first came out.
In a FreeType update, the developers explained the issue as “a severe vulnerability in embedded PNG bitmap handling.” This handling would lead to a heap buffer overflow that could topple system memory. The Project Zero team also reported that “an exploit for CVE-2020-15999 exists in the wild.” This should not be a big deal, though, as it is easy to mitigate.
A couple of days ago, an update for Chrome began to roll out to solve the issue. Today, Google finally updated Chrome OS to 86.0.4240.112, which also fixes the problem for Chromebooks. However, any other service that uses the afflicted Freetype code may be vulnerable, and those services would need to be updated. This is why it is crucial to update early and update often to be less vulnerable to zero-day exploits.