For the third time in a year, Google has fixed a Chrome zero-day (CVE-2020-6418) that is being actively exploited by attackers in the wild.
The vulnerability was discovered and reported to the Chromium team by Clement Lecigne of Google’s Threat Analysis Group on February 18.
The fix was already in place a day later but, as the code is public, researchers from Exodus Intelligence managed to analyze it and develop proof-of-concept exploit code.
They released the exploit – which works only if Chrome’s sandbox is disabled or can be bypassed via another vulnerability – and pointed out that it’s a good thing Google has managed to reduce Chrome’s “patch gap” to two weeks.
“It took us around 3 days to exploit the vulnerability after discovering the fix. Considering that a potential attacker would try to couple this with a sandbox escape and also work it into their own framework, it seems safe to say that 1day vulnerabilities are impractical to exploit on a weekly or bi-weekly release cycle,” they noted.
This, of course, does not mean much in this particular instance, as CVE-2020-6418 was a zero-day to begin with (i.e., the exploit for it existed and was used before the patch).
The Chrome release (v80.0.3987.122) fixing CVE-2020-6418 and two other high-risk flaws was released for Windows, Mac, and Linux and will roll out over the coming days/weeks.
Those users and admins who have disabled the auto-updating feature on Chrome would do well to implement the update as soon as possible.
Sophos’ Paul Ducklin also pointed out that V8 is used in other applications and runtime environments, including the Chromium-based Microsoft Edge browser. (Brave, Opera, and Vivaldi are also Chromium-based web browsers and use V8).
“We’re assuming that if other V8-based applications do turn out to share this bug, they will soon be patched too – but as far as we know now, the in-the-wild exploit only applies to V8 as used in Chrome itself,” he added.