We all know the popularity and extensive audience of the Google Chrome browser, which can be used on Windows, Mac, or Linux computers and Android devices. To those currently using the same and who have not yet deployed the patch, it’s time to update their Chrome browsers to the latest version, 86.0.4240.111 Google released. The latest version of Google Chrome Zero-Day Oct 2020 has addressed a serious 0-day heap buffer overflow vulnerability and three high-risk and medium-risk vulnerabilities. A good vulnerability management tool can prevent these attacks.
Zero-Day CVE-2020-15999 :
Chrome Zero-Day Oct 2020 actively exploited a memory corruption flaw, resulting in a heap buffer overflow in FreeType open-source development library used for rendering fonts packed with Chrome. These vulnerabilities can be kept at bay with a vulnerability management software. The vulnerability report by security researcher Sergei Glazunov of Google Project Zero on October 19. The security researcher then immediately reported the 0-day vulnerability to Freetype developers, who seemed to have addressed the issue in Freetype on October 20 with the release of FreeType 2.10.4.
According to the details shared by the reporter, the heap buffer overflow vulnerability. exists in the FreeType’s function “Load_SBit_Png” that processes PNG images embedded into fonts. This can be in exploitation by attackers to execute arbitrary code by using specially crafted fonts with embedded PNG images.
Glazunov explained,
The issue is that libpng uses the original 32-bit values, which are saved in `png_struct`. Therefore, if the original width and/or height are greater than 65535, the allocated buffer won’t be able to fit the bitmap.
The technical lead for Google’s Project Zero is Ben Hawkes. informed us that while they have only spotted the exploits targeting Chrome users. It is also possible that other projects using Freetype might also be vulnerable. They are advising to deploy the patch with FreeType version 2.10.4.
Since the patch for the vulnerability is visible in the source code of the FreeType open-source library. Attackers might be able to reverse-engineer the code and develop working exploits for this vulnerability.
Affected products by Chrome Zero-Day Oct 2020:
Google Chrome versions before 86.0.4240.111 and FreeType open-source library versions before 2.10.4.
Impact
This issue allows attackers to execute arbitrary code on the affected system.
Solution
Google has released security updates addressing the issue in Google Chrome version 86.0.4240.111.
SanerNow detects this vulnerability and automatically fixes it by applying security updates. Therefore, Download SanerNow and keep your systems updated and secure.