8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
Google has patched a second actively exploited zero-day flaw in the Chrome browser in two weeks, along with addressing nine other security vulnerabilities in its latest update.
The company released 86.0.4240.183 for Windows, Mac, and Linux, which it said will be rolling out over the coming days/weeks to all users.
The zero-day flaw, tracked as CVE-2020-16009, was reported by Clement Lecigne of Googleβs Threat Analysis Group (TAG) and Samuel GroΓ of Google Project Zero on October 29.
The company also warned that it βis aware of reports that an exploit for CVE-2020-16009 exists in the wild.β
Google hasnβt made any details about the bug or the exploit used by threat actors public so as to allow a majority of users to install the updates and prevent other adversaries from developing their own exploits leveraging the flaw.
But Ben Hawkes, Google Project Zeroβs technical lead, said CVE-2020-16009 concerned an βinappropriate implementationβ of its V8 JavaScript rendering engine leading to remote code execution.
Aside from the ten security fixes for the desktop version of Chrome, Google has also addressed a separate zero-day in Chrome for Android that was being exploited in the wild β a sandbox escape flaw tracked as CVE-2020-16010.
The zero-day disclosures come two weeks after Google fixed a critical buffer overflow flaw (CVE-2020-15999) in the Freetype font library.
Then late last week, the company revealed a Windows privilege escalation zero-day (CVE-2020-17087) that was employed in combination with the above font rendering library flaw to crash Windows systems.
The search giant hasnβt so far clarified if the same threat actor was exploiting the two zero-days.
Found this article interesting? Follow THN on Facebook, Twitter ο and LinkedIn to read more exclusive content we post.
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C