Google Patches Actively Exploited Chrome 0-Day Flaw
⚡ TL;DR: Go Straight to the Chrome 80 Zero-Day Audit Report.
Time to update your Google Chrome installations immediately to the latest version. Why the urgency? Google issued an emergency update to address three vulnerabilities for Chrome, one of which is a Zero–Day flaw being actively exploited in the wild.
The latest Chrome 80.0.3987.122 includes security fixes for 3 high-severity vulnerabilities, including one that has been reportedly exploited in the wild. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser, obtain sensitive information, bypass security restrictions and perform unauthorized actions, or cause denial-of-service conditions.
- High – Integer Overflow in ICU
The Chrome Zero-Day vulnerability allows a remote attacker to execute arbitrary code on the target system and exists due to integer overflow in the ICU component. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger an integer overflow and execute arbitrary code on the target system.
- High – CVE-2020-6407: Out of Bounds Memory Access in Streams
CVE-2020-6407 exists due to a boundary error when processing untrusted input in streams. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger out-of-bounds write and execute arbitrary code on the target system.
- High – CVE-2020-6418: Type Confusion in V8
The type confusion flaw allows a remote attacker to execute arbitrary code on the target system and resides in the V8 component. Successful exploitation of this vulnerability may result in a complete compromise of a vulnerable system.
In their Security Advisory, Google states that they are aware of reports that an exploit for CVE-2020-6418 exists in the wild.
This marks the first Chrome zero-day that has been exploited in the wild in 2020. Back in 2019, Google patched a Chrome zero-day in March last year (CVE-2019-5786 in Chrome 72.0.3626.121), followed by a major one in November (CVE-2019-13720 in Chrome 78.0.3904.8).
Run the Chrome Zero-Day Audit
If you currently have Google Chrome deployed on your workstations, it’s pretty critical that you update them at the earliest opportunity to ensure that you don’t fall prey to these vulnerabilities. Our Google Chrome 0-Day Vulnerability Audit Report can tell you in no time which devices have a vulnerable Chrome version in place and need to be patched.
If you haven’t already, start your free Lansweeper trial and get a list of all vulnerable Chrome versions in no time.