Security researchers have found 2 new Google chrome zero-days that were exploited in wild by the hackers. The vulnerabilities could allow an attacker to compromise a victim’s systems via the web.
According to Google, the 2 chrome zero-days were under active exploitation by the hacker.
A stable update 86.0.4240.198 will roll out within a few days/weeks. The bug details will keep secret until a majority of users update their systems.
The vulnerability can be tracked as CVE-2020-16013 and CVE-2020-16017 and both are of High severity. According to anonymous reports vulnerabilities gets a ranking of 8.4 out of 10 on the CVSS bug-severity scale.
According to the researcher at Czech firm Cybersecurity Help, the CVE-2020-16013 vulnerability was present due to incorrect implementation in V8 in Google Chrome. A remote attacker can create a specially crafted web page and trick a victim to click on it in order to compromise the system
The CVE-2020-16017 vulnerability was present due to a use-after-free error within the site isolation component in Google Chrome. A remote attacker can create a specially crafted web page triggering the use-after-free error and execute arbitrary code on the target system.
Earlier this month Google Chrome has patched a zero-day CVE-2020-16009, which was due to inappropriate implementation of V8. However, it is unclear that these two bugs are related to that or not.
Then last week Google patches two security bugs that were present in Google’s Chrome desktop and Android-based browsers. Both the vulnerabilities discovered by researchers at Google’s Threat Analysis Group and Google Project Zero.