Google fixes two actively used Chrome zero days (CVE-2020-16009, CVE-2020-16010)

For the third time in two weeks, Google Chrome has fixed zero-day vulnerabilities that are actively exploited in the wild: CVE-2020-16009 is present in the desktop version of the CVE-2020-16010 browser on mobile devices (Android) version .

About the vulnerabilities (CVE-2020-16009, CVE-2020-16010)

As usual, Google has decided not to publish many details about the patched security holes. So we only know this:

• CVE-2020-16009 is an inappropriate implementation bug in V8, Chrome’s open source JavaScript engine that is used by attackers to achieve remote code execution from a crafted HTML page
• CVE-2020-16010 is a heap-based buffer overflow vulnerability in the user interface on Android that is used to bypass the Chrome sandbox through a crafted HTML page (i.e., to escalate permissions on the vulnerable system)

The former was found and reported by Clement Lecigne of Google’s Threat Analysis Group (TAG) and Samuel Groß of Google Project Zero, the latter by Maddie Stone, Mark Brand and Sergei Glazunov of Google Project Zero.

Google says exploits for both exist in the wild. Google’s TAG is a team focused on detecting and thwarting government sponsored attacks. Hence, at least CVE-2020-16009 is likely to be exploited by government-sponsored hackers.

The company has not stated whether these Chrome zero days and the one set two weeks ago (CVE-2020-15999) used in conjunction with CVE-2020-17087, a Windows kernel zero day, will be used by The same attacker is used on the website.

Update your Chrome installations

Chrome version 86.0.4240.183 for Windows, macOS, and Linux is the latest stable release that includes fixes for CVE-2020-16009 and nine additional vulnerabilities. Users who do not have automatic updating enabled should check for the update manually.

Chrome v86.0.4240.185 for Android includes all of the above fixes plus those for CVE-2020-16010. The update for the app is available on Google Play.