In a bid to fix three new vulnerabilities in its browser, Google has issued updates for Chrome on all the major platforms (google chrome zero day vulnerability). The search giant published an advisory to address the high-severity vulnerabilities, with the most severe one leading to arbitrary code execution and claimed by the Google Development Team as “being exploited in the wild“. These vulnerabilities also affect Microsoft’s Chromium-based edge browser and addressed in the Microsoft Advisory. Also, a vulnerability management tool will be useful here.
The first vulnerability, which assigned by google chrome zero day vulnerability CVE-2020-6418, is a Type Confusion vulnerability and associated with a side-effect in Chrome’s V8 Engine. However, a patch management tool can patch this up. V8 is an open-source engine by Chrome and Chromium browsers to process JavaScript. A type confusion basically revolves around wrong function pointers or data being fed to the wrong block of code.
In this case, as per reports, the attacker uses a similar concept to alter the length of an array to an arbitrary value to gain access to the V8 memory heap. This can lead to arbitrary code execution within the browser sandbox. By default, Chrome does not run without its sandbox enabled, and the attacker would evidently require to launch this attack in conjunction with a sandbox escape in order to take over a device.
The second security flaw is an out of bounds memory access vulnerability and tracked as CVE-2020-6407. This vulnerability associated with the streams API, which to break down and process a resource, bit by bit.
The third vulnerability, which not assigned a CVE, arises due to an Integer Overflow in ICU.
In its habitual approach, Google has not disclosed additional information about any of the vulnerabilities to avoid large-scale exploits and buy some time for its users to secure their browsers.
Proof of Concept
A proof of concept exploit published by a group of researchers from Exodus Intelligence. However, as mentioned before, it can used to execute code within the sandbox.
Affected products
Google Chrome versions before 80.0.3987.122
Microsoft Chromium-based Edge versions before 80.0.361.62
Impact
These vulnerabilities could allow a remote attacker to execute arbitrary code on the affected systems.
Solution
Please refer to this KB Article, which is now replaced by KB Article, to apply the patches using SanerNow.
SecPod Saner detects these vulnerabilities and automatically fixes them by applying security updates. Download SanerNow and keep your systems updated and secure.