Google’s information security team has just released a security update for the Chrome browser aiming to fix three critical flaws, including a zero-day vulnerability from which active exploit in the wild reports already exist. Technical details about these flaws and their exploitation are not yet disclosed; the consequences of the attack for users are also reserved information.
Although there are really few confirmed
details, the information security community has been able to learn about a
series of attacks detected on February 18th by researcher Clement Lecigne, a
member of Google’s Threat Analysis Group. This is a special team that investigates
and tracks the activities of the most dangerous hacker groups.
Chrome browser maintainers included patches to
fix the unspecified zero-day vulnerability in the release of Chrome version
80.0.3987.122. Security patches are available for Windows, Linux, and Mac
systems. The iOS, Android
and Chrome OS operating systems have not yet been updated.
This flaw has been tracked as CVE-2020-6418, and it is only known
that members of the Google team describe it as “a type confusion in
code. In information security, type confusion refers to coding errors during
which an app initializes data execution operations using input of a specific
type, but is tricked into treating input as if it were of a different type.
This confusion leads to logical errors in the
application’s memory, generating the conditions conducive to the intervention
of a threat actor, which will try to execute malicious code without
restrictions within the target application.
According to the International Institute of Cyber
Security (IICS), this is the third zero-day vulnerability in Chrome
exploited in the wild in the last year. Previously, Google released security
patches to fix two zero-day browser flaws:
in Chrome 72.0.3626.121
in Chrome 78.0.3904.8
The company is expected to reveal further
details as the danger of exploitation has passed; it is worth mentioning that
there are no exploit reports of the other two security flaws fixed in the
latest version of Chrome.