Google’s Project Zero white-hat hacker squad has patched two new zero-day bug fixes for vulnerabilities in the Chrome Browser, already being actively exploited in the wild — the third time in two weeks the team has had to patch a live vulnerability in the world’s most used web browser.

Ben Hawkes, the head of Project Zero took to Twitter on Monday to make the announcement (via ArsTechnica):

The first, codenamed CVE-2020-16009, is a remote code-execution bug in V8, the custom Javascript engine used in Chromium. The second, coded CVE-2020-16010 is a heap-based buffer overflow, specific to the Android version of Chrome, which lets users outside the sandbox environment, leaving them free to exploit malicious code, perhaps from the other exploit, or maybe a completely different one.

There’s a lot we don’t know — Project Zero often uses a ‘need to know’ basis, lest it actually turns into a ‘how to hack’ tutorial — but we can glean some bits of information. We don’t know, for example, who is responsible for exploiting the flaws, but given that the first (16009) was discovered by the Threat Analysis Group, which could well mean it's a state-sponsored actor. We don’t know which versions of Chrome are being targeted, so we’re recommending that you assume the answer is “the one you have” and update wherever possible if you’ve not had the latest version automatically. The Android patch is in the latest version of Chrome, currently available from the Google Play Store — you may need to trigger a manual update, to be sure of receiving it in a timely manner.