Google patches two more Chrome zero-days

Google has now patched five Chrome zero-days in three weeks.

google

Image: Mitchell Luo

Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.

These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.

The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google's attention after tips from anonymous sources.

Details about the attacks where the Chrome two zero-days have been used have not been made public, at the time of writing.

According to the Chrome 86.0.4240.198 changelog, the two zero-days are tracked and described as follows:

  • CVE-2020-16013 - Described as an "inappropriate implementation in V8," where V8 is the Chrome component that handles JavaScript code.
  • CVE-2020-16017 - Described as a "use after free" memory corruption bug in Site Isolation, the Chrome component that isolates each site's data from one another.

It is currently unknown if the two vulnerabilities have been used together, as part of an exploit chain, or used individually. The first one was reported on Monday, while the second was reported earlier today, on Wednesday.

These two zero-days come after Google also patched:

Most zero-days are usually employed in targeted attacks against a small number of selected targets, so most users shouldn't needlessly panic.

While it's unclear the level of danger for regular users, Chrome users are still advised to update to v86.0.4240.198 via the browser's built-in update function (see Chrome menu, Help option, and About Google Chrome section) as soon as possible.