Google has released Chrome version 86.0.4240.111 earlier today to deploy security fixes, including a patch for an actively exploited zero-day vulnerability.
The zero-day is tracked as CVE-2020-15999 and is described as a memory corruption bug in the FreeType font rendering library that’s included with standard Chrome distributions.
In-the-wild attacks leveraging this FreeType bug were discovered by security researchers from Project Zero, one of Google’s internal security teams.
According to Project Zero team lead Ben Hawkes, a threat actor was spotted abusing this FreeType bug to mount attacks against Chrome users.
Hawkes now urged other app vendors who use the same FreeType library to update their software as well, in case the threat actor decides to shift attacks against other apps.
A patch for this bug has been included in FreeType 2.10.4, released earlier today.
Chrome users can updated to v86.0.4240.111 via the browser’s built-in update function (see Chrome menu, Help option, and About Google Chrome section).
The finer details about CVE-2020-15999 active exploitation attempts have not been made public. Google usually sits on technical details for months to give users enough time to update and keep even the smallest clues from falling into attackers’ hands.
However, since the patch for this zero-day is visible in the source code of FreeType, an open source project, it’s expected that threat actors will be able to reverse-engineer the zero-day and come up with their own exploits within days or weeks.
CVE-2020-15999 is the third Chrome zero-day exploited in the wild in the past twelve months. The first two were CVE-2019-13720 (October 2019) and CVE-2020-6418 (February 2020).