Google has discovered and patched a serious vulnerability in Chrome that attackers are actively exploiting at the moment.
The bug is a high-severity heap buffer overflow in FreeType, a free font-rendering engine that Chrome, among many other projects, uses. A member of Google’s Project Zero vulnerability research team discovered the vulnerability and subsequently found that attackers were already exploiting it. Google patched the flaw in Chrome 86.0.4240.111 for desktop browsers and the maintainers of the FreeType Project pushed out an emergency release of the library to fix it, as well.
“I've just fixed a heap buffer overflow that can happen for some malformed .ttf files with PNG sbit glyphs. It seems that this vulnerability gets already actively used in the wild, so I ask all users to apply the corresponding commit as soon as possible,” Werner Lemberg, one of the original authors of the FreeType, said in an email to the FreeType announcement mailing list.
The vulnerability was introduced in FreeType 2.6 and is fixed in 2.10.4, Lemberg said.
The Project Zero team did not release any details about the public exploitation attempts or the exploit itself, except to say that “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild”. That is standard operating procedure for this kind of situation, especially when there are a number of cascading dependencies and many independent projects involved that need to implement their own fixes.
In addition to Chrome, many other widely used applications and operating systems use FreeType, including iOS, Android, GNU, Linux, and ReactOS. Apple on Tuesday released an update for iOS and iPadOS but did not include any information about security fixes in the descriptions, which is unusual but not unique.
Project Zero typically adheres to a 90-day vulnerability disclosure deadline, but for bugs that are under active attack, the team shifts to a one week timeline. Google was first made aware of the flaw on Monday and pushed out the patch for Chrome today.
“Note that this vulnerability was originally reported to Google Chrome today (2020-10-19) under a 7 day deadline, which is used for vulnerabilities that have been detected in an "in the wild" exploit (e.g. the vulnerability is being actively exploited),” Sergei Glazunov of Project Zero said in an email to the FreeType Project mailing list Monday.