[German]Google has updated the Google Chrome Browser to version 86.0.4240.111 on October 20, 2020. This update resolves a 0-day vulnerability CVE-2020-15999 in the FreeType library (also in other software products such as Linux), which is already exploited.
Chrome 86.0.4240.111 with security fixes
The new Chrome 86.0.4240.111 for the desktop contains a number of fixes (see changelog). Within the Google blog you can find this post with the announcement auf the browser update. The blog post also lists the list of closed vulnerabilities.
- [$500] High CVE-2020-16000: Inappropriate implementation in Blink. Reported by amaebi_jp on 2020-09-06
- [$TBD] High CVE-2020-16001: Use after free in media. Reported by Khalil Zhani on 2020-10-05
- [$TBD] High CVE-2020-16002: Use after free in PDFium. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2020-10-13
- [$NA] High CVE-2020-15999: Heap buffer overflow in Freetype. Reported by Sergei Glazunov of Google Project Zero on 2020-10-19
- [$3000] Medium CVE-2020-16003: Use after free in printing. Reported by Khalil Zhani on 2020-10-04
Almost all vulnerabilities are rated High and one as Medium. In particular, the heap buffer overflow vulnerability CVE-2020-15999 in the FreeType font library probably caused Google to patch. It should be noted that it is known that the vulnerability is already being exploited.
The Chrome version for Windows, Mac and Linux will be rolled out in the next days via automatic update. You can also download this build here. Updates for Edge, Vivaldi and other clones should also be available (possibly in the coming days).
Attacks against CVE-2020-15999 in FreeType library
According to Ben Hawkes, the leader of the Project Zero team, an attempt to abuse this FreeType bug to launch attacks against chrome users has been noticed (see this ZDNet article). Ben Hawkes now urged other application vendors that use the same FreeType library to update their software as well. This is because cyber criminals are likely to shift this type of attack to other applications that use the library. A patch for this bug is included in FreeType 2.10.4, which was released on October 20, 2020.
Note: Linux users should react here, because FreeType is in use there (see e.g. this debian entry).
Cookies helps to fund this blog: Cookie settings