(Subscribe to our Today's Cache newsletter for a quick snapshot of top 5 tech stories. Click here to subscribe for free.)
Google on Wednesday released an update for Chrome to patch two zero-day vulnerabilities that were exploited in the wild.
The search-giant has now fixed five zero-day bugs in the past three weeks. While the first three vulnerabilities were discovered by Google’s security research team, the recent two bugs came to Google’s knowledge through anonymous sources.
The company did not reveal details about the attacks and restricted the links until majority of users are updated with a fix. Google said it will retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t fixed.
“Google is aware of reports that exploits for CVE-2020-16013 and CVE-2020-16017 exist in the wild,” Google said in a blog post.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”
CVE-2020-16013 is a type of bug that incorrectly implements relevant security checks and Google reported it as ‘Inappropriate implementation in V8’. According to researchers at Czech firm Cybersecurity Help, a remote attacker can create a specially crafted web page, trick the user into visiting it and compromise the system.
Google described CVE-2020-16017 as ‘Use after free in site isolation’. The vulnerability exists due to a use-after-free error within the site isolation component, that segregates the data of different sites from each other in Google Chrome. Similar to the first bug, a remote attacker can trick the user, trigger use-after-free error and execute arbitrary code on the target system.
Both the vulnerabilities have a rating of ‘High’.