Google patches Chrome zero-day under active attacks
Google has released today a Chrome update to address three security bugs, including a zero-day vulnerability that is being actively exploited in the wild.
Details about these attacks are not yet public, and we don't know how this bug is being used against Chrome users.
All we know is that the attacks were discovered last week, on February 18, by Clement Lecigne, a member of Google's Threat Analysis Group, a division at Google that investigates and tracks threat actor groups.
Found and analyzed with a lot of help from @5aelo and Sergei. https://t.co/qeBkjsao4o
— clem1 (@_clem1) February 25, 2020
Patches for this zero-day have been released part of Chrome version 80.0.3987.122. The update is available for Windows, Mac, and Linux users, but not Chrome OS, iOS, and Android.
The zero-day is tracked under the identifier of CVE-2020-6418, and is described only as a "type confusion in V8."
V8 is Chrome's component that's responsible for processing JavaScript code.
A type confusion refers to coding bugs during which an app initializes data execution operations using input of a specific "type" but is tricked into treating the input as a different "type."
The "type confusion" leads to logical errors in the app's memory and can lead to situations where an attacker can run unrestricted malicious code inside an application.
Third Chrome zero-day in the past year
This is the third Chrome zero-day that has been exploited in the wild in the past year.
Google patched the first Chrome zero-day in March last year (CVE-2019-5786 in Chrome 72.0.3626.121), and then a second in November (CVE-2019-13720 in Chrome 78.0.3904.8).
We will update this article if Google shares more information about the recent attacks. In the meantime, users are advised to update Chrome as soon as possible.
Chrome v80.0.3987.122 also comes with two additional security updates; however, these have not been exploited in the wild.