About the vulnerabilities (CVE-2020-16009, CVE-2020-16010)
As usual, Google has decided not to publish many details about the patched security holes. So we only know this:
- CVE-2020-16010 is a heap-based buffer overflow vulnerability in the user interface on Android that is used to bypass the Chrome sandbox through a crafted HTML page (i.e., to escalate permissions on the vulnerable system)
The former was found and reported by Clement Lecigne of Google’s Threat Analysis Group (TAG) and Samuel Groß of Google Project Zero, the latter by Maddie Stone, Mark Brand and Sergei Glazunov of Google Project Zero.
Google says exploits for both exist in the wild. Google’s TAG is a team focused on detecting and thwarting government sponsored attacks. Hence, at least CVE-2020-16009 is likely to be exploited by government-sponsored hackers.
The company has not stated whether these Chrome zero days and the one set two weeks ago (CVE-2020-15999) used in conjunction with CVE-2020-17087, a Windows kernel zero day, will be used by The same attacker is used on the website.
Update your Chrome installations
Chrome version 86.0.4240.183 for Windows, macOS, and Linux is the latest stable release that includes fixes for CVE-2020-16009 and nine additional vulnerabilities. Users who do not have automatic updating enabled should check for the update manually.
Chrome v86.0.4240.185 for Android includes all of the above fixes plus those for CVE-2020-16010. The update for the app is available on Google Play.
These were the details of the news Google fixes two actively used Chrome zero days (CVE-2020-16009, CVE-2020-16010) for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.