Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update your web browsing software immediately to the latest version released by Google earlier today.
Google released Chrome version 86.0.4240.111 today to patch several security severity issues, including zero-day vulnerabilities that attackers have exploited in the wild to hijack targeted computers.
Traced as CVE-2020-15999, the actively exploited vulnerability is a form of memory corruption known as a heap buffer overflow at Freetype, a popular open source software development library for rendering fonts that come packaged with Chrome .
The vulnerability was discovered and reported by security researcher Sergei Glazunov of Google Project Zero on October 19 and is subject to a seven-day public deadline because the defect is being actively exploited.
Glazunov also reported the zero-day vulnerability to FreeType developers, who subsequently developed an urgent piece to address the issue on October 20 with the release of FreeType 2.10.4.
Without revealing the technical details of the vulnerability, Google’s Project Zero Ben Hawkes technical lead warning on Twitter, although the team saw exploitation targeting only Chrome users, other projects using FreeType may also be vulnerable and advised to use the customized fix included in FreeType version 2.10.4.
“Although we saw only exploitation for Chrome, other freetype users should adopt the fix discussed here: https://savannah.nongnu.org/bugs/?59308 – the fix is also in FreeType 2.10 fixed release .4 today., ”Hawkes writes.
According to details shared by Glazunov, the vulnerability exists in the FreeType function “Load_SBit_Png,” which processes PNG images embedded in fonts. Attackers can use it to execute arbitrary code only by using specially crafted fonts with embedded PNG images.
“The issue is that libpng uses the original 32-bit values, which are saved in` png_struct`. Therefore, if the original width and / or height exceeds 65535, the buffer will not allocated can fit the bitmap, “Glazunov explained.
Glazunov also published a font file with the benefit of proof of concept.
Google released Chrome 86.0.4240.111 as a “stable” version of Chrome, which is available to all users, not just to early adopters who have opted in, saying the company is aware of reports that “CVE has been exploited- 2020-15999 exists in the wild, “but did not reveal further details about the active attacks.
Besides FreeType’s day-to-day vulnerability, Google also patched four other flaws in the latest Chrome update, three of which are high-risk vulnerabilities – improper operating bug in Blink, free bug bug usage in Chrome media, and use on free bug in PDFium – and one medium risk use after free publication in browser print function.
Although the Chrome web browser automatically notifies users of the latest available version, it is recommended that users manually trigger the update process by going to “Help → About Google Chrome” from the menu.