[ad_1]
Image: deepanker70
Google has released security updates for the Chrome browser for Android to correct a zero-day vulnerability that is currently being exploited in the wild.
Chrome for Android version 86.0.4240.185 was released last night with fixes for CVE-2020-16010, a heap buffer overflow vulnerability in the Chrome for Android user interface (UI) component.
Google said the bug was exploited to allow attackers to bypass and escape Chrome’s security sandbox on Android devices and execute code in the underlying operating system.
Details about the attack are not public to give Chrome users more time to install updates and prevent other threat actors from developing same-day zero-day exploits.
Some people noticed that CVE-2020-16010 was not included in the link above. That’s because Chrome has separate release notes for desktop and Android. The release notes covering CVE-2020-16010 (sandbox escape for Chrome on Android) are now available here: https://t.co/6hBKMuCAaK
– Ben Hawkes (@benhawkes) November 3, 2020
Google credited its internal Threat Analysis Group (TAG) team for uncovering Chrome for Android’s zero-day attacks.
This marks the third zero day of Chrome discovered by the TAG team in the last two weeks.
The first two zero days affected only Chrome for desktop versions.
The first one was patched on Oct 20, tracked as CVE-2020-15999and the affected Chrome FreeType font rendering library.
In a follow-up report last week, Google said that this first Chrome zero-day was used in conjunction with a Windows zero-day (CVE-2020-17087) as part of a two-step exploit chain, with Chrome zero-day allowing attackers to execute malicious code inside Chrome, while Windows zero-day was used to elevate code privileges and attack the underlying Windows operating system.
In addition to this, Google also patched a second zero day yesterday. Follow up as CVE-2020-16009, this day zero was described as a remote code execution in the JavaScript Chrome V8 engine.
Hours after the Chrome team released patches for this second day zero, Google revealed a third day zero, impacting only its version of Chrome for Android.
While the three zero days are all different from each other and affect different versions and components of Chrome, Google did not clarify whether all zero days are exploited by the same threat actor or by multiple groups.
Such details are typically revealed months after patches, via reports posted on Google’s Project Zero and Google Security blogs. Meanwhile, Chrome users on both Android and desktop should hurry to install the latest updates (v86.0.4240.185 on Android and v86.0.4240.183 on desktop).
[ad_2]
