Google has patched 5 security vulnerabilities in its Chrome browser, one of which is being exploited in the wild.

The vulnerabilities include one buffer overflow and three use-after-free vulnerabilities, but CVE-2020-15999 is the worst, and depends on your browser automatically installing custom fonts.

CVE-2020-15999 is a Heap buffer overflow in Freetype and was discovered by the Google Project Zero on 2020-10-19.

Google Project Zero did not disclose technical details about the attacks exploiting the CVE-2020-15999 in the wild to avoid mass exploitation from threat actors, but it is believed to be related to the ability of websites to request the installation of Web Open Font Format fonts, and could therefore likely be exploited simply by visiting a website.

Chrome browser versions earlier than 86.0.4240.111 are vulnerable. If you have a pending update (green arrow in your Chrome Menu) it may be a good time to restart your browser now, and if you do not, it may be a good idea to check your version under Chrome> Menu> Help > About.

via Sophos

Comments