ID CVE-2020-16010 Type cve Reporter cve@mitre.org Modified 2020-11-04T18:51:00
Description
Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
{"attackerkb": [{"lastseen": "2020-11-18T06:39:19", "bulletinFamily": "info", "cvelist": ["CVE-2020-16010"], "description": "Heap buffer overflow in UI in Google Chrome on Android prior to 86.0.4240.185 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.\n\n \n**Recent assessments:** \n \n**kreavis-r7** at November 03, 2020 7:10pm UTC reported:\n\nGoogle confirmed that an exploit for CVE-2020-16010 exists in the wild: \n<https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html>\n", "modified": "2020-11-05T00:00:00", "published": "2020-11-03T00:00:00", "id": "AKB:CAC41652-7B58-46F8-A5DF-22AA4D982B76", "href": "https://attackerkb.com/topics/CIx5587SKG/cve-2020-16010", "type": "attackerkb", "title": "CVE-2020-16010", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "thn": [{"lastseen": "2020-11-03T12:16:39", "bulletinFamily": "info", "cvelist": ["CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-17087"], "description": "[](<https://thehackernews.com/images/-wwpOKprFWzg/X6EjqTcCLXI/AAAAAAAAA9I/mBsBYTybLoExMJP9mvW6fPJ2Njf3EeA6gCLcBGAsYHQ/s0/chrome-extensions.jpg>)\n\nGoogle has patched a second actively exploited zero-day flaw in the Chrome browser in two weeks, along with addressing nine other security vulnerabilities in its latest update.\n\nThe company [released](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) 86.0.4240.183 for Windows, Mac, and Linux, which it said will be rolling out over the coming days/weeks to all users.\n\nThe zero-day flaw, tracked as **CVE-2020-16009**, was reported by Clement Lecigne of Google's Threat Analysis Group (TAG) and Samuel Gro\u00df of Google Project Zero on October 29.\n\nThe company also warned that it \"is aware of reports that an exploit for CVE-2020-16009 exists in the wild.\"\n\nGoogle hasn't made any details about the bug or the exploit used by threat actors public so as to allow a majority of users to install the updates and prevent other adversaries from developing their own exploits leveraging the flaw.\n\nBut Ben Hawkes, Google Project Zero's technical lead, [said](<https://twitter.com/benhawkes/status/1323374326150701057>) CVE-2020-16009 concerned an \"inappropriate implementation\" of its V8 JavaScript rendering engine leading to remote code execution.\n\nAside from the ten security fixes for the desktop version of Chrome, Google has also addressed a separate zero-day in Chrome for Android that was being exploited in the wild \u2014 a sandbox escape flaw tracked as CVE-2020-16010.\n\nThe zero-day disclosures come two weeks after Google fixed a critical buffer overflow flaw ([CVE-2020-15999](<https://thehackernews.com/2020/10/chrome-zeroday-attacks.html>)) in the Freetype font library.\n\nThen late last week, the company revealed a Windows privilege escalation zero-day ([CVE-2020-17087](<https://thehackernews.com/2020/11/warning-google-discloses-windows-zero.html>)) that was employed in combination with the above font rendering library flaw to crash Windows systems.\n\nThe search giant hasn't so far clarified if the same threat actor was exploiting the two zero-days.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-11-03T11:15:49", "published": "2020-11-03T09:33:00", "id": "THN:955CBC4C8C3F414A1ED3D5F7CAA08A9F", "href": "https://thehackernews.com/2020/11/new-chrome-zero-day-under-active.html", "type": "thn", "title": "New Chrome Zero-Day Under Active Attacks \u2013 Update Your Browser", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-12-02T08:29:44", "bulletinFamily": "info", "cvelist": ["CVE-2020-15999", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-17087", "CVE-2020-27930", "CVE-2020-27932", "CVE-2020-27950"], "description": "[](<https://thehackernews.com/images/-4s737H_lQjY/X6T-7usqm2I/AAAAAAAAA-s/xbIl-rUzZWo6sfq6-YyjjyEeHi5vz2GugCLcBGAsYHQ/s0/apple-update.jpg>)\n\nApple on Thursday released multiple security updates to patch three zero-day vulnerabilities that were revealed as being actively exploited in the wild.\n\nRolled out as part of its iOS, iPadOS, macOS, and watchOS updates, the flaws reside in the FontParser component and the kernel, allowing adversaries to remotely execute arbitrary code and run malicious programs with kernel-level privileges.\n\nThe zero-days were discovered and reported to Apple by Google's Project Zero security team.\n\n\"Apple is aware of reports that an exploit for this issue exists in the wild,\" the iPhone maker said of the three zero-days without giving any additional details so as to allow a vast majority of users to install the updates.\n\nThe list of [impacted devices](<https://support.apple.com/en-us/HT201222>) includes iPhone 5s and later, iPod touch 6th and 7th generation, iPad Air, iPad mini 2 and later, and Apple Watch Series 1 and later.\n\nThe fixes are available in versions iOS 12.4.9 and 14.2, iPadOS 14.2, watchOS 5.3.9, 6.2.9, and 7.1, and as a supplemental update for macOS Catalina 10.15.7.\n\nAccording to Apple's [security bulletin](<https://support.apple.com/en-us/HT211929>), the flaws are:\n\n * **CVE-2020-27930:** A memory corruption issue in the FontParser library that allows for remote code execution when processing a maliciously crafted font.\n * ****CVE-2020-27950**:** A memory initialization issue that allows a malicious application to execute arbitrary code with kernel privileges.\n * **CVE-2020-27932:** A type-confusion issue that makes it possible for a malicious application to disclose kernel memory.\n\n\"Targeted exploitation in the wild similar to the other recently reported 0days,\" [said](<https://twitter.com/ShaneHuntley/status/1324431104187670529>) Shane Huntley, Director of Google's Threat Analysis Group. \"Not related to any election targeting.\"\n\nThe disclosure is the latest in the string of zero-days Project Zero has reported since October 20. First came the Chrome zero-day in Freetype font rendering library ([CVE-2020-15999](<https://thehackernews.com/2020/10/chrome-zeroday-attacks.html>)), then a Windows zero-day ([CVE-2020-17087](<https://thehackernews.com/2020/11/warning-google-discloses-windows-zero.html>)), followed by two more in Chrome and its Android variant ([CVE-2020-16009 and CVE-2020-16010](<https://thehackernews.com/2020/11/new-chrome-zero-day-under-active.html>)).\n\nA patch for the Windows zero-day is expected to be released on November 10 as part of this month's Patch Tuesday.\n\nWhile more details are awaited on whether the zero-days were abused by the same threat actor, it's recommended that users update their devices to the latest versions to mitigate the risk associated with the flaws.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "modified": "2020-12-02T06:39:58", "published": "2020-11-06T07:48:00", "id": "THN:DAE548E4C591A2718BC3A3D2C9440FB1", "href": "https://thehackernews.com/2020/11/update-your-ios-devices-now-3-actively.html", "type": "thn", "title": "Update Your iOS Devices Now \u2014 3 Actively Exploited 0-Days Discovered", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-11-04T20:29:51", "bulletinFamily": "info", "cvelist": ["CVE-2019-13720", "CVE-2020-14750", "CVE-2020-15999", "CVE-2020-16004", "CVE-2020-16005", "CVE-2020-16007", "CVE-2020-16008", "CVE-2020-16009", "CVE-2020-16010", "CVE-2020-16011", "CVE-2020-6418"], "description": "Flaws in Google\u2019s Chrome desktop and Android-based browsers were patched Monday in an effort to prevent known exploits from being used by attackers. Two separate security bulletins issued by Google warned that it is aware of reports that exploits for both exist in the wild. Google\u2019s Project Zero went one step further and asserted that both bugs are actively being exploited.\n\nIn its [Chrome browser update](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) for Windows, Mac and Linux, Google said that version 86.0.4240.183 fixes 10 vulnerabilities. Tracked as CVE-2020-16009, this bug is the most troubling, rated high-severity and is one of the two with active exploits. The vulnerability is tied to Google\u2019s open source JavaScript and WebAssembly engine called V8. In its disclosure, the flaw is described as an \u201cinappropriate implementation in V8\u201d.\n\nClement Lecigne of Google\u2019s Threat Analysis Group and Samuel Gross of Google Project Zero discovered the Chrome desktop bug on Oct. 29, according to a [blog post](<https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop.html>) announcing the fixes by Prudhvikumar Bommana of the Google Chrome team. If exploited, the V8 bug can be used for remote code execution, according to a separate analysis by Project Zero\u2019s team. \n[](<https://threatpost.com/newsletter-sign/>)\n\nAs for the Android OS-based Chrome browser, also with an active exploit in the wild, Google warned [on Monday](<https://chromereleases.googleblog.com/2020/11/chrome-for-android-update.html>) of a sandbox escape bug (CVE-2020-16010). This vulnerability is rated high-severity and opened up a possible attack based on \u201cheap buffer overflow in UI on Android\u201d conditions. Credited for discovering the bug on Oct. 31 is Maddie Stone, Mark Brand and Sergei Glazunov of Google Project Zero.\n\n## **\u2018Actively Exploited in the Wild\u2019**\n\nGoogle said it was withholding the technical details of both bugs, pending the distribution of patches to effected endpoints. While Google said publicly known exploits existed for both bugs, it did not indicate that either one was under active attack. Google\u2019s own Project Zero technical lead Ben Hawkes tweeted on Monday that both were under active attack.\n\n\u201cToday Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android,\u201d he wrote.\n\n> Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. <https://t.co/IOhFwT0Wx1>\n> \n> \u2014 Ben Hawkes (@benhawkes) [November 2, 2020](<https://twitter.com/benhawkes/status/1323374326150701057?ref_src=twsrc%5Etfw>)\n\nAs a precaution, Google said in its security update that it would \u201calso retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven\u2019t yet fixed,\u201d according to the post.\n\n## **The Other Android Bugs**\n\nThe new Chrome Android release also includes stability and performance improvements, according to the Google Chrome team.\n\nVulnerabilities patched in the Chrome desktop update included a \u201cuse after free\u201d bug (CVE-2020-16004); an \u201cinsufficient policy enforcement in ANGLE\u201d flaw (CVE-2020-16005); an \u201cinsufficient data validation in installer\u201d issue (CVE-2020-16007) and a \u201cstack buffer overflow in WebRTC\u201d bug (CVE-2020-16008). Lastly there Google reported a \u201cheap buffer overflow in UI on Windows\u201d tracked as (CVE-2020-16011).\n\nThis week\u2019s Chrome updates come on the heels of zero-day bug [reported and patched last week](<https://threatpost.com/google-patches-zero-day-browser/160393/>) by Google effecting Chrome on Windows, Mac and Linux. The flaw (CVE-2020-15999), rated high-risk, is a vulnerability in Chrome\u2019s FreeType font rendering library.\n\nThe latest vulnerabilities mean that in that just over 12 months Google has patched a string of serious vulnerabilities in its Chrome browser. In addition to the three most recently reported flaws, the first was a critical remote code execution vulnerability [patched last Halloween night](<https://www.zdnet.com/article/halloween-scare-google-discloses-chrome-zero-day-exploited-in-the-wild/>) and tracked as CVE-2019-13720, and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was [fixed in February](<https://threatpost.com/google-patches-chrome-browser-zero-day-bug-under-attack/153216/>).\n\n**Hackers Put Bullseye on Healthcare: [On Nov. 18 at 2 p.m. EDT](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>) find out why hospitals are getting hammered by ransomware attacks in 2020. [Save your spot for this FREE webinar ](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>)on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this [LIVE](<https://threatpost.com/webinars/2020-healthcare-cybersecurity-priorities-data-security-ransomware-and-patching/?utm_source=ART&utm_medium=ART&utm_campaign=Nov_webinar>), limited-engagement webinar.**\n", "modified": "2020-11-03T17:23:23", "published": "2020-11-03T17:23:23", "id": "THREATPOST:DF87733B74489628AB9F2C89704380A9", "href": "https://threatpost.com/chrome-holes-actively-targeted/160890/", "type": "threatpost", "title": "Two Chrome Browser Updates Plug Holes Actively Targeted by Exploits", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
