More Zero-Day Vulnerabilities discovered in Chrome

In a recent blog post we discussed that Google had discovered a zero-day vulnerability in their Chrome browser which led to an update being issued for all users.

Since then, Google has discovered and patched two more zero-day flaws discovered in the Chrome browser for desktop. These are the fourth and fifth actively exploited vulnerabilities addressed by the search giant in recent weeks.

Unlike the previous flaws which were discovered by Google’s elite security team Project Zero, the new flaws which are logged as CVE-2020-16013 and CVE-2020-16017 were discovered and disclosed by ‘anonymous sources’.

According to notes released by Google Chrome, the two flaws are;

Designation Threat Level Description
CVE-2020-16013 HIGH Inappropriate implementation of v8 JavaScript rendering engine
CVE-2020-16017 HIGH Use-after-free memory corruption affects unknown functionality in the 'site isolation' component

Google is aware that exploits for both vulnerabilities exist in the wild, but have not shared anymore specifics. Over the last couple of weeks, a number of actively exploited zero-day flaws targeting Chrome have been disclosed by Google. It appears that a number of these issues may be strung together to form an exploit chain, however, Google is yet to reveal details about who may be using them and who were the intended targets.

What should I do?

If you use Google Chrome, you should check that your auto-updated is active and working. Google has released a stable update 86.0.4240.198 for all Windows, Mac and Linux machines. If you are not patched we highly recommend that you patch immediately.

To find out if you have the latest version installed you need to go to the ‘About Chrome’ section of your browser. To get here you open Chrome on your computer and click the(More) symbol in the top right hand corner. Just under the X (window Close) button. This will produce a dropdown menu, from there click Help > About Google Chrome.

The current version number of your browser is the series of numbers which appear under the ‘Google Chrome’ heading. You are looking for version number ‘86.0.4240.198’, this is the version number that was released on 11/11/2020 and is available to all users.

If you don’t see the above number in the About Chrome section it means you are still on a previous version and your system hasn’t updated. Whilst on the ‘About Google’ page you will be able to check for updates or Chrome will inform you of any pending updates.

If you rarely close your browser at the end of the day before locking your device, now would be a good time to close down your browser and reopen it. This will give Chrome a chance to install the update. You should be able to spot a pending update by the presence of an upward arrow in a circle on the far right of your address bar.

Why should I install the update?

Updates are issued for a number of reasons, one of which is security. Most updates will include bug fixes which could expose your devices and infrastructure. It is good practice to ensure you all your devices and software applications are up-to-date as running old versions could increase your risk of a cyber attack.

In relation to this particular update, it is extremely important to install as it includes patches for two zero-day vulnerabilities which have known exploits in the wild.

How can we help?

Secora Consulting offers a wide range of services which we tailor to meet our clients requirements. Our Vulnerability Assessment service can provide you with a prioritised list of your vulnerabilities and easy to follow remediation advice to immediately improve your cyber security posture. We can help you prepare for the worst-case scenario by simulating threats to your organisation.

Should you ever be on the unfortunate end of a cyber attack our in-depth knowledge and Incident Response service will have your organisation ransomware free and up and running in no time.

Partner with us today, our experienced consultants will go the extra mile to ensure your organisation stays secure by:

  • Validating implemented security controls.
  • Prioritising your risks based on their exploitability and impact.
  • Providing expert and effective advice to immediately improve your cyber security posture.
  • Understanding how uncovered issues will affect your organisation, operations availability and profitability.
watermark secora outline

Our services

All of Secora Consulting's assessments are tailored to our client's needs.
Using our experience, we can help you determine which services are right for you.
We have arranged our services into four groups based on the objective of the tests.

Improve your cyber security.

If you have any questions or are unsure if the steps you are taking to help keep your organisation secure are working, please reach out to us.