Google has released today Chrome version 86.0.4240.198 to patch two zero-day vulnerabilities that were exploited in the wild.
These two bugs mark the fourth and fifth zero-days that Google has patched in Chrome over the past three weeks.
The difference this time is that while the first three zero-days were discovered internally by Google security researchers, these two new zero-days came to Google's attention after tips from anonymous sources.
Details about the attacks where the Chrome two zero-days have been used have not been made public, at the time of writing.
According to the Chrome 86.0.4240.198 changelog, the two zero-days are tracked and described as follows:
- CVE-2020-16017 - Described as a "use after free" memory corruption bug in Site Isolation, the Chrome component that isolates each site's data from one another.
It is currently unknown if the two vulnerabilities have been used together, as part of an exploit chain, or used individually. The first one was reported on Monday, while the second was reported earlier today, on Wednesday.
These two zero-days come after Google also patched:
- CVE-2020-15999 - a zero-day in Chrome's FreeType font rendering library that Google patched on October 20. This Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087), which Microsoft patched yesterday.
- CVE-2020-16010 - a third zero-day, this time in Chrome for Android, impacting the browser's user interface (UI) component.
Most zero-days are usually employed in targeted attacks against a small number of selected targets, so most users shouldn't needlessly panic.
While it's unclear the level of danger for regular users, Chrome users are still advised to update to v86.0.4240.198 via the browser's built-in update function (see Chrome menu, Help option, and About Google Chrome section) as soon as possible.