Security news that informs and inspires

Google Patches Two More Chrome Zero Days Used by Attackers


Google on Wednesday patched two high-severity vulnerabilities in Chrome that the company says are in use by attackers.

The two flaws are the only ones fixed in the latest Chrome update, but given the existence of known exploits for them both, it should be a high priority update for enterprises. One of the vulnerabilities is an implementation flaw in V8, the JavaScript engine in Chrome, and the other bug is a use-after-free in site isolation.

Google did not release any of the details about either vulnerability, as is typical for most of the bugs it patches in Chrome. Both flaws were reported to Google last week by an anonymous researcher and Google released updated versions of Chrome for Windows, Mac, and Linux Wednesday.

This is the third time in less than a month that Google has pushed out an update in Chrome to address vulnerabilities that were under active exploitation. In late October, Google’s Project Zero identified a vulnerability in the FreeType font-rendering engine that’s used in Chrome and many other applications. That vulnerability is a heap buffer overflow and Google’s researchers found that attackers were already exploiting it.

“I've just fixed a heap buffer overflow that can happen for some malformed .ttf files with PNG sbit glyphs. It seems that this vulnerability gets already actively used in the wild, so I ask all users to apply the corresponding commit as soon as possible,” Werner Lemberg, one of the original authors of the FreeType, said in an email to the FreeType announcement mailing list.

Then, a couple weeks later on Nov. 2 Google released another update for Chrome that fixed a separate implementation flaw in V8 that was also being actively exploited. That bug was also discovered by Project Zero, as was a zero day for Chrome on Android that attackers were exploiting.