Google’s Project Zero white-hat hacker squad have patched two new zero-day bug fixes for vulnerabilities in the Chrome Browser, already being actively exploited in the wild – the third time in two weeks the team has had to patch a live vulnerability in the world’s most used web browser.
Ben Hawkes, the head of Project Zero took to Twitter on Monday to make the announcement:
Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. https://t.co/IOhFwT0Wx1
— Ben Hawkes (@benhawkes) November 2, 2020
The first, codenamed CVE-2020-16009, is a remote code-execution bug in V8, the custom Javascript engine used in Chromium. The second, coded CVE-2020-16010 is a heap-based buffer overflow, specific to the Android version of Chrome, which lets users outside the sandbox environment, leaving them free to exploit malicious code, perhaps from the other exploit, or maybe a completely different one.
There’s a lot we don’t know – Project Zero often uses a ‘need to know’ basis, lest it actually turns into a ‘how to hack’ tutorial – but we can glean some bits of information. We don’t know, for example, who is responsible for exploiting the flaws, but given that the first (16009) was discovered by the Threat Analysis Group, which could well mean it’s a state-sponsored actor. We don’t know which versions of Chrome are being targeted, so we’re recommending that you assume the answer is “the one you have” and update wherever possible if you’ve not had the latest version automatically. The Android patch is in the latest version of Chrome, currently available from the Google Play Store – you may need to trigger a manual update, to be sure of receiving it in a timely manner.
Source: Twitter
Story Via: Ars Technica
The post Google fixes two more zero-day Chrome flaws that were already being exploited appeared first on xda-developers.
from xda-developers https://ift.tt/35YkOA0
via IFTTT
Aucun commentaire:
Enregistrer un commentaire