Google fixes two actively exploited Chrome zero-days (CVE-2020-16009, CVE-2020-16010)

For the third time in two weeks, Google has patched Chrome zero-day vulnerabilities that are being actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the browser, CVE-2020-16010 in the mobile (Android) version.

About the vulnerabilities (CVE-2020-16009, CVE-2020-16010)

As per usual, Google has refrained from sharing much detail about each of the patched vulnerabilities, so all we know is this:

• CVE-2020-16009 is an inappropriate implementation flaw in V8, Chrome’s open source JavaScript engine, which is used by attackers to achieve remote code execution via a crafted HTML page
• CVE-2020-16010 is a heap-based buffer overflow vulnerability in UI on Android, which is used to escape Chrome’s sandbox (i.e., to escalate privileges on the vulnerable system) via a crafted HTML page

The former was found and reported by Clement Lecigne of Google’s Threat Analysis Group (TAG) and Samuel Groß of Google Project Zero, the latter by Maddie Stone, Mark Brand, and Sergei Glazunov of Google Project Zero.

Google says that exploits for both exist in the wild. Google’s TAG is a team that focuses on detecting and thwarting government-backed attacks, so it’s likely that at least CVE-2020-16009 is being exploited by government-backed hackers.

The company did not say whether these Chrome zero-days and the one fixed two weeks ago (CVE-2020-15999) – which is exploited in conjunction with CVE-2020-17087, a Windows kernel zero-day – are being leveraged by the same attackers.

Update your Chrome installations

Chrome version 86.0.4240.183 for Windows, macOS and Linux is the latest stable version that contains fixes for CVE-2020-16009 and nine additional vulnerabilities. Users who don’t have auto-updating switched on should manually check for the update.

Chrome v86.0.4240.185 for Android contains all the aforementioned fixes plus the one for CVE-2020-16010. The update for the app is available on Google Play.