Google has patched two zero-day vulnerabilities in the Chrome browser. This is the third time in two weeks that the company has had to fix a Chrome flaw under active exploit. A tweet on Monday from Ben Hawkes, the head of Google’s Project Zero’s vulnerability and exploit research section, confirmed the vulnerability.
The first vulnerability tracked is CVE-2020-16009. It is a remote code-execution bug in Chrome’s open-source JavaScript engine, V8.
The second security flaw is CVE-2020-16010 and is a heap-based buffer overflow for Chrome built for the Android platform. Ben said that attackers use it to escape the Android sandbox, adding that hackers may have been using the flaw, combined with another vulnerability.
Related: Google has a fix for their zero-day flaw in Chrome OS and Chrome
Possible nation-state involvement
Hawkes did not have any additional details to offer. For instance, we do not know what desktop version of Chrome was targeted by active exploits or how long the attacks have been going on. It is also unknown if the same attack group exploiting these flaws is responsible for all three.
Google’s Threat Analysis Group discovered the CVE-2020-16009. The group is usually focused on finding government-backed hacking, suggesting that a nation-state may be funding the active exploiters.
Project Zero has been involved in the discovery of all the three zero-days.
A barrage of attacks
Two weeks after Google fixed CVE-2020-15999, which was also actively exploited in FreeType, used by many apps to render fonts, this new story comes up. It seems that the ongoing pandemic exacerbates the ramp-up in attacks.
To get the code-execution capabilities, hackers combined exploits and targeted an unpatched bug in Windows 10 and 7.
Since Chrome updates automatically, many people have had the patches for CVE-2020-16009 and CVE-2020-159999 installed, as long as they restarted the browser. The update for the latest exploit will be available in the next few weeks.