If you use the Google Chrome browser on a Windows, Mac or Linux computer, you need to immediately update the web browsing software to the latest version released by Google earlier today.
Google today released Chrome version 86.0.4240.111 to fix a number of high-severity security issues, including a zero-day vulnerability that hackers used to hijack the target computer in the wild.
The active exploitation vulnerability tracked as CVE-2020-15999 is a memory corruption vulnerability, known as heap buffer overflow in Freetype, which is a popular open source software development library for rendering fonts that come with Chrome.
The vulnerability was discovered and reported on October 19 by Sergei Glazunov, a security researcher at Google Project Zero. Since the vulnerability is being actively exploited, the public disclosure period for the vulnerability is 7 days.
Glazunov also immediately reported the zero-day vulnerability to the FreeType developers, who subsequently released FreeType 2.10.4 on October 20 and developed an emergency patch to solve the problem.
The technical leader of the Google Project Zero Ben Hawkes warned on Twitter that although the team only found vulnerabilities for Chrome users, other projects that use FreeType may also be attacked. It is recommended to deploy the vulnerability. Fixes included in FreeType version 2.10.4.
Chrome zero-day vulnerability
According to detailed information shared by Glazunov, the vulnerability exists in FreeType's function "Load_SBit_Png", which processes PNG images embedded in fonts. Attackers can use special fonts that only embed PNG images to execute arbitrary code.
The problem is that libpng uses the original 32-bit values, which are stored in png_struct. Therefore, if the original width and/or height are greater than 65535, the allocated buffer will not fit the bitmap.
Google also released a font file with a proof-of-concept vulnerability. At the same time, Google released Chrome 86.0.4240.111 as a "stable" version of Chrome. This version is not only available to selected early adopters, but also applicable to all users, and Said that the company is aware of "the use of CVE-2020-15999 in CVE-2020-15999", but did not disclose more details of the active attack.
In addition to the FreeType zero-day vulnerability, Google also patched the other four vulnerabilities in the latest Chrome update, three of which are high-risk vulnerabilities-improper implementation errors in Blink, sequential use errors in Chrome media, and sequential use errors in PDFium There is a moderate risk of using-and distributing the print function of the browser for free.
Although the Chrome web browser will automatically notify users of the latest available version, it is recommended that users manually trigger the update process by going to "Help→About Google Chrome" from the menu.
Source: Guo Shenghua's blog, please indicate the source for reprinting