In a follow-up report last week, Google said this first Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087) as part of a two-step exploit chain, with the Chrome zero-day allowing attackers to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code's privileges and attack the underlying Windows OS.
Hours after the Chrome team released patches for this second zero-day, Google revealed a third zero-day, impacting only its Chrome for Android version.
While the three zero-days are all different from each other and impact different Chrome versions and components, Google did not clarify if all zero-days are exploited by the same threat actor or by multiple groups.
Such details are usually revealed months after patches, via reports published on Google's Project Zero and Google Security blogs. In the meantime, Chrome users, both on Android and on desktop, should hurry to install the latest updates (v86.0.4240.185 on Android and v86.0.4240.183 on desktop).