10-23-2020 , 01:00 PM
Quote:Google has released Chrome 86.0.4240.111 today, October 20th, 2020, to the Stable desktop channel to address five security vulnerabilities, one of them an actively exploited zero-day bug.source : https://www.bleepingcomputer.com/news/se...o-day-bug/
"Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild," the Google Chrome 86.0.4240.111 announcement reads.
This version is rolling out to the entire userbase during the next days/weeks. Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome.
The Google Chrome web browser will then automatically check for the new update and install it when available.
Freetype zero-day bug under active exploitation
"Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome," said Ben Hawkes, technical team lead of Google's 'Project Zero' security research team.
"While we only saw an exploit for Chrome, other users of freetype should adopt the fix discussed here: https://savannah.nongnu.org/bugs/?59308 -- the fix is also in today's stable release of FreeType 2.10.4," Hawkes added.
The heap buffer overflow zero-day bug found in the popular FreeType text rendering library has been reported by Google Project Zero's Sergei Glazunov on October 19.
According to Glazunov's report, the vulnerability "exists in the function `Load_SBit_Png`, which processes PNG images embedded into fonts."