Google released an update to its Chrome browser that patches a zero-day vulnerability in the software’s FreeType font rendering library, that was actively being exploited in the wild.
The memory-corruption vulnerability is in the browser’s FreeType font rendering library.
Security researcher Sergei Glazunov of Google Project Zero found the bug which is classified as a type of memory-corruption flaw called a heap buffer overflow in FreeType. Glazunov informed Google of the vulnerability on Mon. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.
On Tues., Google already had released a stable channel update, Chrome version 86.0.4240.111, that uses 5 security fixes for Windows, Mac & Linux–among them a fix for the zero-day, which is being tracked as CVE-2020-15999 & is rated as high risk.
“Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild,” Prudhvikumar Bommana of the Google Chrome team wrote in a blog post announcing the update Tues. Google did not reveal further details of the active attacks that researchers observed.
Still, Ben Hawkes, technical lead for the Project Zero team, warned that while Google researchers only observed the Chrome exploit, it’s possible that other implementations of FreeType might be vulnerable as well since Google was so quick in its response to the bug.
He referred users to a fix by Glazunov posted on the FreeType Project page & urged them to update other potentially vulnerable software.
“The fix is also in today’s stable release of FreeType 2.10.4,” Hawkes tweeted.
Meanwhile, security researchers took to Twitter to encourage people to update their Chrome browsers immediately to avoid falling victim to attackers aiming to exploit the flaw.
“Make sure you update your Chrome today! (restart it!),” tweeted London-based Application Security Consultant Sam Stepanyan.
As well as the FreeType zero day, Google patched 4 other bugs – 3 of high risk & 1 of medium risk–in the Chrome update released this week.
The high-risk vulnerabilities are: CVE-2020-16000, described as “inappropriate implementation in Blink;” CVE-2020-16001, described as “use after free in media;” & CVE-2020-16002, described as “use after free in PDFium,” says the blog post. The medium-risk bug is being tracked as CVE-2020-16003, described as “use after free in printing,” Bommana wrote.
In the last year Google has patched 3 zero-day vulnerabilities in its Chrome browser. Before this week’s FreeType disclosure, the 1st was a critical remote code execution vulnerability patched last Halloween night & tracked as CVE-2019-13720, & the 2nd was a type of memory confusion bug tracked as CVE-2020-6418 that was fixed in Feb.