Google engineers have released an updated version of Google Chrome (86.0.4240.111) and warn that they have fixed a zero-day vulnerability in the browser that is under active attacks.
The error was discovered internally by Google Project Zero. It is identified as CVE-2020-15999 and is associated with the FreeType font rendering library included with standard Chrome distributions. The bug is known to be related to a violation of the integrity of information in memory.
Project Zero team leader Ben Hawkes writes that cybercriminals are already using this bug to attack Chrome users, and urges other vendors using this library to urgently update their software in case attackers decide to migrate attacks to other applications. The fact is that a patch for this vulnerability was also included in the latest version of FreeType (2.10.4) released this week.
So far, more detailed information about the operation of CVE-2020-15999 has not been disclosed. It should be said that this is a common practice for Google: the company's specialists can "keep silent" for months on the technical details of vulnerabilities in order not to give cybercriminals hints and allow users to install updates safely. However, this time the fixes can be tracked in source code open source project FreeType. Therefore, experts warn that, most likely, attackers will be able to quickly reverse engineer the bug and create their own exploits for it within the next few days.