The new Chrome zero-day is under attack –– what to do?
ATTENTION! If you are using the Google Chrome browser on your desktop or laptop (Windows, Mac, or Linux), you may need to update your browser to the latest software version immediately.
Why the urgency?
For everyone’s information, Google just released Chrome version 86.0.4240.111 today. Version updates are mostly for improvements on security and other features and this one is no different.
Unfortunately, there is a Chrome zero-day vulnerability that attackers have been exploiting to hijack targeted computers. And this latest Chrome version is to patch up this high-level security issue.
Attack of high-severity
The FreeType flaw, listed as CVE-2020-15999, is a type of memory-corruption flaw that is an open-source software development library, popular in rendering fonts that are packaged with Chrome. The flaw has been heavily exploited and more importantly, classified as “high” severity.
Initially, the vulnerability was discovered by Google’s Project Zero security researcher, Sergei Glazunov, on October 19th. He then immediately reported this to the FreeType developers.
Fortunately, on October 20th, a day after the issue had been reported, FreeType developers then released FreeType 2.10.4 –– an emergency patch to address the issue.
Google’s Project Zero technical lead, Ben Hawkes, warned on Twitter that while the team had only spotted an exploit targeting Chrome users, it is also possible that other projects using FreeType might be vulnerable to the attack too. Google asked FreeType developers to include other projects in their fix as well.
No details yet regarding who is actively exploiting this flaw. But Google is expected to be posting technical details on October 26th.
“While we only saw an exploit for Chrome, other users of Freetype should adopt the fix discussed here: https://savannah.nongnu.org/bugs/?59308 — the fix is also in today’s stable release of FreeType 2.10.4,” Hawkes tweeted.
According to Glazunov, the vulnerability exists in the FreeType’s function “Load_SBit_Png” which processes PNG images embedded into fonts. Attackers can exploit this to execute arbitrary code through the use of specifically crafted fonts with embedded PNG images.
“The issue is that libpng uses the original 32-bit values, which are saved in png_struct
. Therefore, if the original width and/or height are greater than 65535, the allocated buffer won’t be able to fit the bitmap,” Glazunov stated.
Google advised users to update Chrome immediately
The tech giant is very much aware of the active attack. And as a response to the attack, Google also released Chrome 86.0.4240.111, a stable version that is available to all users.
In addition to the FreeType zero-day vulnerability, Google also fixed four other flaws in the latest Chrome update. Three of these four flaws are classified as high-risk vulnerabilities. First, an inappropriate implementation bug in Blink. Second, a free bug in Chrome’s media. The third is a free bug in PDFium.
And the last is a medium-risk use after free issue in the browser’s printing function.
Chrome web browser users are notified about the latest version available. However, if they did not receive the notification, they can manually update their browsers to the latest version.
Click the three dots at the upper right corner of the browser, then select Help, then click About Google Chrome. A new tab will then open and start the update – if it is available. After that, your browser will relaunch; and you are then updated to the latest version.