Google has released a security advisory for its Chrome users on Windows, Mac, and Linux, addressing two very critical Zero-Day exploits being exploited in the wild. These Vulnerabilities can be tracked as CVE-2020-16013 and CVE-2020-16017. Endpoints that have not been patched are advised to deploy the patches ASAP. The flaws were reported by “anonymous” sources to Google, unlike the previous cases where Google’s Project Zero elite security team had taken the opportunity to report.
At the time of writing, details of attacks where both zero-days are being exploited have not been made public.
Use-after-free memory corruption issue in Google Chrome’s site isolation feature. It is the component of chrome which isolates each site’s data from one and another. This flaw can be described as a “use after free” memory corruption bug.
Google added in the advisory,
Google is aware of reports that exploits for CVE-2020-16013 and CVE-2020-16017 exist in the wild.
We need to take notice that CVE-2020-16009 a zero-day flaw Google patched last week was also a similar “Inappropriate implementation in V8” issue which was fixed in Chrome release 86.0.4240.183 and was reported by Clement Lecigne of Google’s Threat Analysis Group and Samuel Groß of Google Project Zero on 2020-10-29. It is not clear if the two issues are related.
Google Chrome versions before 86.0.4240.198.
This issue allows attackers to cause a program to crash, use unexpected values, or execute code on the affected system.
Google has released the security updates addressing the issue in Google Chrome version 86.0.4240.198.