Google has released a security update today for its Chrome web browser that patches ten security bugs, including one zero-day vulnerability that is currently actively exploited in the wild.
Identified as CVE-2020-16009, the zero-day was discovered by Google's Threat Analysis Group (TAG), a security team at Google tasked with tracking threat actors and their ongoing operations.
In typical Google fashion, details about the zero-day and the group exploiting the bug have not been made public — as a way to allow Chrome users more time to install the updates and prevent other threat actors from developing their own exploits for the same zero-day.
Chrome users are advised to update their browser to version 86.0.4240.183 or later.
Second zero-day in two weeks
This is the second Chrome zero-day that Google found exploited in the wild in the past two weeks.
On October 20, Google also released a security update for Chrome to patch CVE-2020-15999, a zero-day in Chrome's FreeType font rendering library.
As Google revealed last week on Friday, this Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087).
The Chrome zero-day was used to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code's privileges and attack the underlying Windows OS. Microsoft is expected to patch this zero-day on November 10, during the company's next Patch Tuesday.
Google didn't clarify if these two zero-days were abused by the same threat actor.
Update: Third zero-day also disclosed
Five hours after this article went live, Google also released patches for a third zero-day.
Unlike the first two, this one impacted only Chrome for Android versions.
Tracked as CVE-2020-16010, this zero-day is a heap buffer overflow vulnerability in the Chrome for Android user interface (UI) component, and users can protect themselves by updating Chrome for Android to version 86.0.4240.185.