Skip to main content

Google fixes two more Chrome zero-days that were under active exploit

posted onNovember 3, 2020
by l33tdawg
Arstechnica
Credit: Arstechnica

Google has patched two zero-day vulnerabilities in its Chrome browser, the third time in two weeks that the company has fixed a Chrome security flaw that’s under active exploit.

According to a Monday tweet from Ben Hawkes, the head of Google’s Project Zero vulnerability and exploit research arm, CVE-2020-16009, as the first vulnerability is tracked, is a remote code-execution bug in V8, Chrome’s open source JavaScript engine. A second security flaw, CVE-2020-16010, is a heap-based buffer overflow in Chrome for Android. Hawkes said it allows attackers to escape the Android sandbox, suggesting that hackers may have been using it in combination with a separate vulnerability.

Hawkes didn’t provide additional details, such as what desktop versions of Chrome were actively targeted, who the victims were, or how long the attacks had been going on. It also wasn’t clear if the same attack group was responsible for all three exploits. CVE-2020-16009 was in part discovered by a member of Google’s Threat Analysis Group, which focuses on government-backed hacking, suggesting that exploits of that vulnerability may be the work of a nation-state. Project Zero was involved in the discovery of all three of the zero-days.

Source

Tags

Security

You May Also Like

Recent News

Friday, November 8th

Friday, November 1st

Tuesday, July 9th

Wednesday, July 3rd

Friday, June 28th

Thursday, June 27th

Thursday, June 13th

Wednesday, June 12th

Tuesday, June 11th

Friday, June 7th