Google today released earlier versions of 86..4..44040.0..11 on Thursday to deploy security fixes including patches for active zero-day vulnerabilities.
Tracked as zero day CVE-2020-15999 And the free type font rendering library is described as a memory corrupt bug that includes standard chrome distributions.
Security researchers at Project Zero, one of Google’s internal security teams, have discovered in-the-wild attacks that take advantage of this freetype bug.
According to Ben Hawks, lead of the Project Zero team, a threatening actor was seen abusing this freetype bug to carry out attacks against Chrome users.
Hawks has now requested other app vendors who use the same free-type library to update their software as well, if the threatening actor decides to switch attacks against other apps.
The patch for this bug is included in FreeType 2.10.4, which was released earlier today.
Chrome users can update to v86.0.4240.111 via the browser’s built-in update function (Chrome menu, Help Option, and About Google Chrome Section).
Excellent details about CVE-2020-15999 active exploitation efforts have not been made public. Google usually spends months on technical details to give users enough time to update and prevent even the smallest keys from falling into the hands of attackers.
However, this zero-day patch, FreeType, appears in the source code of an open source project, so it is expected that threatening artists will be able to zero-day reverse-engineer and come forward in a few days or with their own works. Weeks.
CVE-2020-15999 is the third chrome-day exploited in the forest in the last 12 months. The first two were CVE-2019-13720 (October-October 2019) and CVE-2020-6418 (February 2020).