Google patches second Chrome zero-day in two weeks

Google has released a security update today for its Chrome web browser that patches ten security bugs, including one zero-day vulnerability that is currently actively exploited in the wild.

Identified as CVE-2020-16009, the zero-day was discovered by Google’s Threat Analysis Group (TAG), a security team at Google tasked with tracking threat actors and their ongoing operations.

In typical Google fashion, details about the zero-day and the group exploiting the bug have now been made public — as a way to allow Chrome users more time to install the updates and prevent other threat actors from developing their own exploits for the same zero-day.

However, in a short changelog published today, Google said the zero-day resides in V8, the Chrome component that handles JavaScript code.

Chrome users are advised to update their browser to version 86.0.4240.183 or later.

Second zero-day in two weeks

This is the second Chrome zero-day that Google found exploited in the wild in the past two weeks.

On October 20, Google also released a security update for Chrome to patch CVE-2020-15999, a zero-day in Chrome’s FreeType font rendering library.

As Google revealed last week on Friday, this Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087).

The Chrome zero-day was used to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code’s privileges and attack the underlying Windows OS. Microsoft is expected to patch this zero-day on November 10, during the company’s next Patch Tuesday.

Google didn’t clarify if these two zero-days were abused by the same threat actor.