Google’s own Chrome browser has just been patched for a brand new – obviously – zero-day vulnerability in the software’s FreeType font rendering library.
The bug was reportedly already exploited in the wild
According to Sergei Glazunov of Google Project Zero the bug is a type of memory-corruption flaw called a heap buffer overflow in FreeType.
Glazunov informed Google of the vulnerability Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.
Fortunately for all Chrome users, Google has already released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac and Linux.
Among them also the fix for the zero-day that Glazunov discovered (classified as CVE-2020-15999).
As Google themselves acknowledged, in the blog post regarding the update, they are fully aware that the exploit exists and are urging everybody to update as soon as possible.
On the subject, Ben Hawkes, technical lead for the Project Zero team, warned that while Google researchers only observed the Chrome exploit, it’s possible that other implementations of FreeType might be vulnerable as well since Google was so quick in its response to the bug.
Other fixes for Chrome
Other than CVE-2020-15999, Google patched four other bugs, as you care read below (with the bug huners payout inclued):
- [$500][1125337] High CVE-2020-16000: Inappropriate implementation in Blink. Reported by amaebi_jp on 2020-09-06
- [$TBD][1135018] High CVE-2020-16001: Use after free in media. Reported by Khalil Zhani on 2020-10-05
- [$TBD][1137630] High CVE-2020-16002: Use after free in PDFium. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2020-10-13
- [$3000][1134960] Medium CVE-2020-16003: Use after free in printing. Reported by Khalil Zhani on 2020-10-04
Considering the last few months, this is the third zero-day that has been patched by Google in its Chrome browser.
Prior to this week’s FreeType disclosure, the first was a critical remote code execution vulnerability (CVE-2019-13720), and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was fixed in February of this year.