Google has released Chrome version 86.0.4240.111, which fixes five security vulnerabilities in the world’s most popular and widely used web browser. Among them, there’s CVE-2020-15999, a nasty memory-corruption (heap buffer overflow) vulnerability existing in FreeType, one of the open-source libraries used in Chrome for rendering fonts. Besides the bug’s criticality, which is always an important factor to consider, Google says they’ve seen it being actively exploited in the wild, so updating to the latest version immediately is crucial.
Those who want to dive deeper into the technical aspect of the flaw and its exploitation potential may check out this post by Google researcher Sergei Glazunov. Long story short, the flaw lies in the way FreeType processes PNG images that are embedded into fonts. If an attacker creates a specially crafted font containing dimension values that go beyond what can be fitted into the bitmap, an arbitrary code execution condition is created.
Glazunov has even developed and shared a “proof-of-concept” font to prove the case and highlight the fact that exploiting this bug doesn’t require extreme hacking skills.
Related: Google’s Threat Analysis Experts Detected Over 120 APT Attacks Per Day in 2020
The other fixes that landed with the latest version are the following:
If you are using Chrome or a Chrome-based web browser, you should have already received the automatically-generated update notification. It is important to understand that when there are fixes on actively exploited zero-days like the heap buffer overflow in Freetype, postponing or delaying the update is introducing great risks to your security. Arbitrary code execution can have a wide range of dire consequences for the target, so it’s not just something that would freeze your browser tab.
Google got to learn about this flaw thanks to its “Project Zero” team on October 19, 2020. They fixed it promptly and before the seven-day deadline that is set on “wild” zero-days, while more technical details will be published on October 26, 2020. The company has not clarified approximately since when this flaw has been under active exploitation.