Chrome Zero day ! Goes Wild

A new Chrome version has released to patch a zeroday … And the version is 86.0.4240.111 stable version from chrome

The reason for making sure you’ve got this particular update is not only that five security bugs have been patched, including one buffer overflow and three use-after-free vulnerabilities, but also that one of these bugs, designated CVE-2020-15999, is already known to attackers.

As the update notification states, “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild.”

The bug is described as a heap buffer overflow in Freetype, where Freetype is an open source font rendering software toolkit that allows programmers to support the use of all sorts of modern font files and formats in their applications.

Many web pages these days include special versions of the fonts they need – a corporate typeface, for instance – and these files, known as WOFFs, short for Web Open Font Format, are downloaded into your browser to use as required.

WOFF files are used not only so that websites can rely on fonts that a user is unlikely already to have installed, but also so that they can depend access to specific version of a font that supports particular characters or character sets that might otherwise be missing or display incorrectly.

We’re guessing, therefore, that this bug could be exploited by luring you to a web page that contained an innocent-looking but booby-trapped font file that deliberately triggered the bug, either when the font was loaded or when specific text was displayed.

Despite an attack already being known in the wild, Google has included its customary notification that the update will “roll out over the coming days/weeks”, presumably because some Chrome users may be dependent on a vendor to push out fixes.