Google 0 Day patched

Google has addressed two zero-day vulnerabilities, actively exploited in the wild, addresses in the release of Chrome version 86.0.4240.198.

Tracked as CVE-2020-16013 and CVE-2020-16017, were reported by anonymous sources. Google experts did not disclose the way the flaws have been exploited in the attacks.

The CVE-2020-16013 flaw is an inappropriate implementation in V8 Chrome component.

The CVE-2020-16017 flaw is a use after free memory corruption bug in Site Isolation

It is interesting to note that one of the vulnerabilities was reported to Google the same day the company released the new version of the popular browser.

The other three zero-days patched by Google in the last weeks were:

  • CVE-2020-15999 – The flaw is a memory corruption bug that resides in the FreeType font rendering library, which is included in standard Chrome releases.
  • CVE-2020-16009 – is a Heap buffer overflow in Freetype in Google Chrome.
  • CVE-2020-16010 – affects the browser’s user interface (UI) component in Chrome for Android.

It’s mind boggling to update chrome day after week after months to get protection against Exploit

Google Successive 0 Day

Google has just released a fix for the second actively exploited Chrome zero-day security flaw in two weeks. CVE-2020-16009 is a v8 bug used for remote code execution,The fix applies to Windows, macOS and Linux.

“Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild,” The Chromium bug entry with more details is locked to all but Chrome developers, as you might expect with a flaw that’s not totally been fixed.

Google fixed a previous, technically unrelated, zero-day flaw two weeks ago (Oct. 20), and related browsers quickly followed suit.

Google revealed a Windows zero-day flaw that was being used in combination with the first Chrome flaw to hijack PCs via malicious websites. It’s not clear if yesterday’s new flaw has anything to do with those attacks.

Most installations of Chrome and Chromium variants will update themselves if you close the browser and then relaunch it again, although not all Chromium variants may yet have released new versions to patch this flaw.

You want to update to version 86.0.4240.183 in Chrome . Although the latter doesn’t have that version ready yet. In Edge, the latest version is 86.0.622.61.

Windows 0 Day –> Google Project 0 Discovered 🐞🦠

Google’s Project Zero bug-hunting team has disclosed a Windows kernel flaw that’s being actively exploited by miscreants to gain administrator access on compromised machines. This gone public 7 days after it got discovered

The Windows Kernel Cryptography Driver (cng.sys) exposes a \Device\CNG device to user-mode programs and supports a variety of IOCTLs with non-trivial input structures,” the bug report explains. “It constitutes a locally accessible attack surface that can be exploited for privilege escalation

Malware already on a system, or a rogue insider, can potentially exploit this buggy driver to gain admin-level control of a vulnerable Windows box. The flaw, designated as CVE-2020-17087, is the result of improper 16-bit integer truncation that can lead to a buffer overflow.

The Google researchers have posted PoC exploit code tested on Windows 10 1903 (64-bit). They say the cng.sysflaw looks to have been present since at least Windows 7.

The Windows giant suggested exploitation would be difficult because an attacker would first need to compromise a host machine and then exploit another vulnerability of the local system. Microsoft says the only known remote-based attack chain for this vulnerability has been dealt with, a hole in Chromium-based browsers (CVE-2020-15999) that was fixed this month.

A patch is expected by November 10, 2020, which would be the next “Patch Tuesday” from Microsoft.

Chrome Zero day ! Goes Wild

A new Chrome version has released to patch a zeroday … And the version is 86.0.4240.111 stable version from chrome

The reason for making sure you’ve got this particular update is not only that five security bugs have been patched, including one buffer overflow and three use-after-free vulnerabilities, but also that one of these bugs, designated CVE-2020-15999, is already known to attackers.

As the update notification states, “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild.”

The bug is described as a heap buffer overflow in Freetype, where Freetype is an open source font rendering software toolkit that allows programmers to support the use of all sorts of modern font files and formats in their applications.

Many web pages these days include special versions of the fonts they need – a corporate typeface, for instance – and these files, known as WOFFs, short for Web Open Font Format, are downloaded into your browser to use as required.

WOFF files are used not only so that websites can rely on fonts that a user is unlikely already to have installed, but also so that they can depend access to specific version of a font that supports particular characters or character sets that might otherwise be missing or display incorrectly.

We’re guessing, therefore, that this bug could be exploited by luring you to a web page that contained an innocent-looking but booby-trapped font file that deliberately triggered the bug, either when the font was loaded or when specific text was displayed.

Despite an attack already being known in the wild, Google has included its customary notification that the update will “roll out over the coming days/weeks”, presumably because some Chrome users may be dependent on a vendor to push out fixes.