Soon after two zero-times in Chrome desktop, Google patches a 3rd zero-day in the Android edition

Google has launched safety updates for the Chrome for Android browser to fix a zero-day vulnerability that is at present exploited in the wild.

Chrome for Android variation 86..4240.185 was launched very last evening with fixes for CVE-2020-16010, a heap buffer overflow vulnerability in the Chrome for Android consumer interface (UI) ingredient.

Google claimed the bug was exploited to permit attackers to bypass and escape the Chrome stability sandbox on Android products and run code on the underlying OS.

Information about the assault are not general public to give Chrome customers far more time to set up the updates and reduce other menace actors from building exploits for the exact zero-working day.

A couple persons found that CVE-2020-16010 was not included in the backlink previously mentioned. That’s mainly because Chrome has independent release notes for Desktop and Android. The release notes covering CVE-2020-16010 (sandbox escape for Chrome on Android) are now accessible right here: https://t.co/6hBKMuCAaK

— Ben Hawkes (@benhawkes) November 3, 2020

Google credited its internal Risk Evaluation Group (TAG) group for finding the Chrome for Android zero-day attacks.

This marks the 3rd Chrome zero-working day found out by the TAG staff in the previous two weeks.

The 1st two zero-days afflicted only Chrome for desktop variations.

The initial was patched on Oct 20, was tracked as CVE-2020-15999, and affected Chrome’s FreeType font rendering library.

In a stick to-up report previous week, Google stated this to start with Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087) as portion of a two-step exploit chain, with the Chrome zero-working day letting attackers to execute destructive code inside of Chrome, whilst the Windows zero-day was utilised to elevate the code’s privileges and attack the fundamental Windows OS.

On leading of this, Google also patched a 2nd zero-day yesterday. Tracked as CVE-2020-16009, this zero-working day was described as a distant code execution in the Chrome V8 JavaScript motor.

Hours immediately after the Chrome group produced patches for this 2nd zero-working day, Google unveiled a 3rd zero-day, impacting only its Chrome for Android variation.

While the a few zero-times are all various from each other and effect distinctive Chrome variations and parts, Google did not explain if all zero-days are exploited by the similar menace actor or by several teams.

This kind of specifics are generally discovered months after patches, through reviews revealed on Google’s Venture Zero and Google Security blogs. In the meantime, Chrome customers, the two on Android and on desktop, should really hurry to set up the latest updates (v86..4240.185 on Android and v86..4240.183 on desktop).