Google fixes two more zero-day Chrome flaws that were already being exploited

Google fixes two more zero-day Chrome flaws that were already being exploited

Google’s Project Zero white-hat hacker squad has patched two new zero-day bug fixes for vulnerabilities in the Chrome Browser, already being actively exploited in the wild — the third time in two weeks the team has had to patch a live vulnerability in the world’s most used web browser.

Ben Hawkes, the head of Project Zero took to Twitter on Monday to make the announcement (via ArsTechnica):

The first, codenamed CVE-2020-16009, is a remote code-execution bug in V8, the custom Javascript engine used in Chromium. The second, coded CVE-2020-16010 is a heap-based buffer overflow, specific to the Android version of Chrome, which lets users outside the sandbox environment, leaving them free to exploit malicious code, perhaps from the other exploit, or maybe a completely different one.

There’s a lot we don’t know — Project Zero often uses a ‘need to know’ basis, lest it actually turns into a ‘how to hack’ tutorial — but we can glean some bits of information. We don’t know, for example, who is responsible for exploiting the flaws, but given that the first (16009) was discovered by the Threat Analysis Group, which could well mean it’s a state-sponsored actor. We don’t know which versions of Chrome are being targeted, so we’re recommending that you assume the answer is “the one you have” and update wherever possible if you’ve not had the latest version automatically. The Android patch is in the latest version of Chrome, currently available from the Google Play Store — you may need to trigger a manual update, to be sure of receiving it in a timely manner.

About author

Chris Merriman
Chris Merriman

I am the UK News Editor at XDA Developers. I’ve been writing about technology for over a decade for the likes of The Inquirer, where I was Associate Editor, Computer Shopper UK, and IT Pro. I’ve also appeared on Sky News, BBC, Al Jazeera and recently left a long-running weekly tech news spot on TalkRadio UK. My love of technology comes from my family who hail from the pioneering days of Silicon Valley - in fact my Grandfather worked on Mercury, Gemini and Apollo. I’ve been using smartphones (and reading XDA) since the HTC Canary in 2003. I’m also a smart home obsessive. You can find me tweeting as @ChrisTheDJ or email me at [email protected]