New Zero-Day Vulnerability Exposes Google Chrome Browser
On the 21/10/2020, Google released a stable channel update of Google Chrome desktop to patch several high-risk security issues which have been uncovered. Included in the patch release was a zero-day vulnerability which could be exploited by an attacker to hijack targeted computers.
|CVE-2020-15999||High||Heap buffer overflow in FreeType|
|CVE-2020-16000||High||Inappropriate implementation in Blink|
|CVE-2020-16001||High||Use after free in media|
|CVE-2020-16002||High||Use after free in PDFium|
|CVE-2020-16003||Medium||Use after free in printing|
CVE-2020-15999 relates to a type of memory corruption flaw called a heap buffer overflow. This corruption flaw was discovered in FreeType which is a commonly used open source software development library for rendering fonts that comes pre-packaged with Chrome.
Sergei Glazunov, a security researcher with Google Project Zero initially discovered and reported the flaw on the 19/10/2020. The zero-day vulnerability was also immediately reported to FreeType developers by Glazunov. FreeType developers developed an emergency patch on the 20/10/2020 to address the issue. This patch was released as FreeType 2.10.4.
While the team at Google’s Project Zero has only spotted an exploit targeting Google Chrome users, their technical lead Ben Hawkes warned on Twitter that other projects using FreeType might also be vulnerable. It is advised that anyone using FreeType in their projects should immediately deploy the fix included in FreeType version 2.10.4.
What should I do?
If you use Google Chrome or the open-source version of Chrome ‘Chromium’, you should check that your auto-updater is active and working and that you have the latest version installed. If you are not patched we highly recommend that you patch immediately.
To find out if you have the latest version installed you need to go to the ‘About Chrome’ or ‘About Chromium’ section of your browser. To get here you open Chrome or Chromium on your computer and click the(More) symbol in the top right hand corner. Just under the X (Window Close) button. This will produce a dropdown menu, from there click Help > About Google Chrome.
The current version number of your browser is the series of numbers which appear under the “Google Chrome” heading. You are looking for version number ‘86.0.4240.111’ this is the version number that was released on 21/10/2020 and available to all users.
However, there is a possibility you will see version number ‘86.0.4240.75’ or earlier when you open the About Chrome section. This means you are still on a previous version and your system hasn’t updated. Whilst on the ‘About Google’ page you will be able to check for updates or Chrome will inform you of any pending updates.
If you rarely close your browser at the end of the day before locking your device, now would be a good time to close down your browser and reopen it. This will give Chrome a chance to install the update. You should be able to spot a pending update by the presence of an upward arrow in a circle in the far right of your address bar.
For people using ‘Chromium’ (that’s the open-source version of Chrome), you should follow your usual update procedure, which will depend on the operating system you’re using and where you initially got Chromium.
Why should I install the update?
Updates are issued for a number of reasons, one of which is security. Most updates will include bug fixes which could expose your devices and infrastructure. It is good practice to ensure you all your devices and software applications are up-to-date as running old versions could increase your risk of a cyber attack.
In relation to this particular update, it is extremely important to install as it includes patches for five security bugs which were discovered.
Most crucially one of these bugs, recorded as CVE-2020-15999, is already known to attackers as the update notification states “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild”. This bug could pose an immediate threat to your devices which is why we advise installing this latest update as soon as possible.
How can we help?
Secora Consulting offers a wide range of services which we tailor to meet our client's requirements. Our Vulnerability Assessment service can provide you with a prioritised list of your vulnerabilities and easy to follow remediation advice to immediately improve your cyber security posture. We can help you prepare for the worst-case scenario by simulating threats to your organisation.
Should you ever be on the unfortunate end of a cyber attack our in-depth knowledge and Incident Response service will have your organisation ransomware free and up and running in no time.
Partner with us today, our experienced consultants will go the extra mile to ensure your organisation stays secure by:
- Validating implemented security controls.
- Prioritising your risks based on their exploitability and impact.
- Providing expert and effective advice to immediately improve your cyber security posture.
- Understanding how uncovered issues will affect your organisation, operations availability and profitability.
- Recovery from incidents and cyber attacks.
All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.