Google has released an update for Chrome that patches three security bugs, one of which is a zero-day vulnerability that is currently being exploited. The vulnerability, under the identifier CVE-2020-6418, was discovered by Clement Lecigne, a member of Google's Threat Analysis Group, on February 18.
Found and analyzed with a lot of help from @5aelo and Sergei. https://t.co/qeBkjsao4o
— clem1 (@_clem1) February 25, 2020
While it is known that the vulnerability is being exploited in the wild, information on how it is being used is not public yet. The vulnerability has been patched in Chrome version 80.0.3987.122. The update is rolling out to all Windows, Mac, and Linux users. However, it is not known when an update with the patch will make it to the mobile versions of the browser.
As for the vulnerability itself, it is described as a ‘type confusion in V8’. V8 is Chrome’s component responsible for processing JavaScript code. Type confusion refers to a logical bug that occurs when a program accesses resources using an incompatible type, leading to logical errors. The vulnerability, when exploited, can allow attackers to run unrestricted code on the affected applications.
The search giant patched Chrome’s first zero-day vulnerability back in March 2019 when it disclosed the security risk along with a vulnerability in Windows 7. Since the patch fixes a zero-day that is currently being exploited in the wild, it is best for users to update their browsers to the latest version (80.0.3987.122). You can download the update using the offline installer here, or head to the three-dot menu on Chrome > Help > About Google Chrome, and force the update.
Source: Clement Lecigne (Twitter) via ZDNet
4 Comments - Add comment