Google fixes two more zero-day Chrome flaws that were already being exploited
Google’s Project Zero white-hat hacker squad has patched two new zero-day bug fixes for vulnerabilities in the Chrome Browser, already being actively exploited in the wild — the third time in two weeks the team has had to patch a live vulnerability in the world’s most used web browser.
Ben Hawkes, the head of Project Zero took to Twitter on Monday to make the announcement (via ArsTechnica):
Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. https://t.co/IOhFwT0Wx1
— Ben Hawkes (@benhawkes) November 2, 2020
There’s a lot we don’t know — Project Zero often uses a ‘need to know’ basis, lest it actually turns into a ‘how to hack’ tutorial — but we can glean some bits of information. We don’t know, for example, who is responsible for exploiting the flaws, but given that the first (16009) was discovered by the Threat Analysis Group, which could well mean it’s a state-sponsored actor. We don’t know which versions of Chrome are being targeted, so we’re recommending that you assume the answer is “the one you have” and update wherever possible if you’ve not had the latest version automatically. The Android patch is in the latest version of Chrome, currently available from the Google Play Store — you may need to trigger a manual update, to be sure of receiving it in a timely manner.