Google Patches Zero-Day Flaw in Chrome Under Active Attacks: Update Now


Google has patched a zero-day vulnerability in Chrome that is being exploited in the wild. The new patch is a part of the latest Chrome update that carries version 80.0.3987.122 for Windows, Mac, and Linux users, the search giant revealed through a blog post. The update is the third in the series of zero-day fixes that Google has brought in the past year. The first zero-day vulnerability was discovered and patched in March last year. It was a part of the Chrome version 72.0.3626.121.

Antti Tikkanen of Google’s Threat Analyst Group posted a tweet on Tuesday to announce the patching of the zero-day vulnerability that is tracked under CVE-2020-6418. The Chrome team also separately mentioned in the blog post that the vulnerability was reported by Clement Lecigne of Google’s Threat Analysis Group on February 18.

Google is aware of reports that an exploit for CVE-2020-6418 exists in the wild,” the company wrote in the blog post.

It is unclear whether any malicious parties leveraged the security loophole to affect Chrome users. However, the vulnerability has been described as a “type confusion in V8.”

As noted by Catalin Cimpanu of ZDNet, V8 is a component in Google Chrome that is responsible for processing JavaScript code. A community-developed list on the Common Weakness Enumeration (CWE) website states that a “type confusion” refers to the program that allocates or initialises a resource using one type, but it is later tricked to access that resource using a type that is not matching with the original type. Moreover, a bug of type confusion nature could allow attackers to execute unrestricted malicious code within an app.

The Chrome version 80.0.3987.122 that includes the fix for the newly discovered zero-day flaw is available for download for Windows, Mac, and Linux users. The update also contains fixes for two other vulnerabilities that had “high” severity.

In March last year, Google patched the zero-day flaw listed as CVE-2019-5786 that was also reported by Clement Lecigne of the Threat Analysis Group. The second zero-day vulnerability that the search giant fixed in the last one year was tracked by an identifier of CVE-2019-13720 that was patched in November.



Source link

Leave a Comment