Chrome Users Update Your Browser Now! Hackers Targeting Zero-Day Vulnerability
Table of Contents
- By Dawna M. Roberts
- Published: Oct 22, 2020
- Last Updated: Mar 18, 2022
Google updated its signature browser Chrome on Tuesday, October 20, to patch a whole host of severe security issues, including a zero-day vulnerability that could allow cybercriminals to hijack affected computers.
HackerNews sounded the alarm bell today, urging anyone who uses the Google Chrome browser to update to the latest version 86.0.4240.111 immediately to patch the software and protect against these dangers.
The issue known as CVE-2020-15999 relates to a memory-corruption bug named heap buffer overflow found in Freetype. Chrome uses Freetype for rendering fonts within the browser. Freetype is an open-source software library.
What Does Zero-Day Mean?
If you are curious about what zero-day means, it’s a term coined back in the digital bulletin board days to refer to the number of days since a new software program or video game was released to the public. However, regarding a zero-day vulnerability or exploit, it relates to how many days the software vendor was aware of the issue before reporting it.
A zero-day vulnerability is a security issue that the software developer is unaware of, and therefore, there is no current patch or fix for it. They exist most often in operating systems and browser software.
A zero-day exploit is the actual code cyber criminals use to attack a computer with a zero-day vulnerability. Because these issues often affect browsers and operating systems, they leave the user exposed to a computer takeover, ransomware, theft, and fraud.
How was the Issue Discovered?
Google Project Zero’s Sergei Glazunov discovered the vulnerability on October 19 and found that it was “under active exploitation in the wild.” After informing Google, Glazunov also let FreeType know, and they immediately took action creating an emergency patch, which they issued on October 20. The patched FreeType version is 2.10.4.
Another team member on Google Project Zero, Ben Hawkes, sent out a warning on Twitter that although this issue was discovered on Chrome, any other apps or software that uses FreeType may also be vulnerable to exploitation. Users should patch those as well. He included a link to grab the fix when he tweeted, “While we only saw an exploit for Chrome, other users of FreeType should adopt the fix discussed here: https://savannah.nongnu.org/bugs/?59308 — the fix is also in today’s stable release of FreeType 2.10.4.”
Additional information won’t be available until most users have patched their systems. Along with CVE-2020-15999, there have been two other exploits during the past twelve months (CVE-2019-13720 and CVE-2020-6418).
Google released the update for Windows on Tuesday promising that a Mac and Linux update will be forthcoming shortly. Hawkes also noted that although they haven’t tested the theory, “The chromium tracking bug has the OS-Android label applied (which means that they think that the bug does affect Android), but this isn’t something that Project Zero has validated. An ASAN build is required if you’re trying to reproduce it with the test font on the upstream bug.”
The Technical Details
The FreeType issue affects the function “Load_SBit_Png,” which converts PNG images into fonts. Hackers can create malicious fonts, embed them within PNG files to export this bug, and take over someone’s computer.
FreeType’s library uses 32-bit values saved in “png_struct,” so any image greater than 65535 won’t fit and will create a buffer overflow. To prove this issue, Glazunov developed a proof-of-concept example.
Along with the zero-day issue, in the Chrome update, Google addressed some other high-security flaws such as “Inappropriate implantation in Blink, use after free in media, use after free in PDFium, and use after free in printing” areas of the browser.
How to Update Your Version of Chrome
Typically, the Chrome browser will notify users or update when you open the program. However, to make sure you are using the latest version and trigger the update, open Chrome and from the main menu go to Help -> About Google Chrome, and the update process will start automatically. After the update, check your version to be sure you have the latest version: 86.0.4240.111.
Keeping Your Computer Safe
Heeding the advice of Google, you should always keep all your software patched and up to date with the latest security fixes. This applies to operating systems and browsers, especially. It’s also a good idea to install top-notch antivirus/anti-malware software and keep that updated. Run deep scans often to keep hackers away from your stuff and protect your identity. A couple of other tips are:
- Never click a link in an email.
- Stay away from malicious websites.
- Protect your home network with a strong password and firewall.
- Use very strong passwords on all your accounts.
- Use two-factor authentication whenever possible.
- Do not enter personal information online unless you are sure who you are dealing with.
- Watch out for phishing emails, fraud, and identity theft.