November 25, 2020


Tenable Advises Chrome Users to Patch Zero-day-Vulnerability

Chrome users could potentially be at risk of arbitrary code execution (ACE) due to an actively exploited zero-day vulnerability. Technical details of the available exploit have not been disclosed yet but ACE flaws could allow an attacker to execute system commands, read, write or even delete files on the victim’s computer, create a backdoor to the system, gain network access or download a malicious program such as ransomware. While ACEs really are an open goal, the damage can be limited from access controls and permissions usually in place. It’s imperative that everyone using Chrome updates to version 86.0.4240.111 to address these high-severity vulnerabilities.

Comment is attributable to Rody Quinlan, Security Response Manager at Tenable:

The zero-day is a memory corruption flaw [CVE-2020-15999] described as a “heap buffer overflow in FreeType.” Successful exploitation of heap buffer overflows could lead to memory leakage which could potentially be used to lead to arbitrary code execution. As the Chrome flaw is being actively exploited in the wild, users are urged to update their browsers as soon as possible to reduce the risk of compromise.

Chrome is not the first browser with an actively exploited zero-day this year. Just over a week into 2020, Mozilla released an advisory for a zero-day vulnerability in Mozilla Firefox, CVE-2019-17026, and later again in April for CVE-2020-6819 and CVE-2020-6820. Mozilla Firefox advised users to upgrade as soon as possible as they were aware of attacks targeting the flaw.

Microsoft also released an out-of-band (OOB) advisory (ADV200001) in January for CVE-2020-0674, a zero-day remote code execution (RCE) vulnerability in Internet Explorer. While an OOB advisory for an RCE vulnerability from Microsoft is enough reason to take note, the advisory also stated that Microsoft was aware of targeted attacks in the wild.

With three of the most commonly used browsers actively targeted this year with zero-days, it is imperative organisations patch their systems as soon as updates are available.”