Google has released an update to its Chrome web browser, fixing a number of security bugs. Of particular note, is the fact that the new Chrome version 86.0.4240.111 contains a patch for a recently discovered zero-day exploit.
The security bug, listed as CVE-2020-15999, is a memory corruption vulnerability, which will come as no surprise to individuals with knowledge of the Chrome security landscape. According to internal research undertaken by Google, 70 per cent of all the serious security bugs affecting Chrome are memory-related. Microsoft researchers came up with a similar figure.
This time, the patched exploit made use of a vulnerability with the FreeType font rendering library that comes packaged with Chrome. The security bug was discovered by Google’s internal Project Zero team after Chrome users were targeted by cyberattackers.
An essential update
Chrome users can stay protected by updating to the latest version of the browser, but other individuals may still be at risk. Other software solutions that use the FreeType library could still be targeted, so Google advises at-risk individuals to download the latest version of FreeType to get patched up.
“Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome,” Project Zero lead Ben Hawkes tweeted. “While we only saw an exploit for Chrome, other users of freetype should adopt the fix.”
It is important that online users download the patch as soon as possible as threat actors, even those that were not previously aware of the vulnerability, may decide to strike. As FreeType is open-source, the native patch is available to view online and so could be utilised by cyberattackers to reverse engineer their own exploits.