A Chrome 80 update released on Monday patches three high-severity vulnerabilities, including one that Google says has been exploited in the wild.
The zero-day vulnerability, tracked as CVE-2020-6418, has been described as a type confusion issue affecting the V8 open source JavaScript engine used by Chrome. Google has credited Clement Lecigne of its Threat Analysis Group for reporting the vulnerability.
No additional information has been disclosed regarding the attacks exploiting CVE-2020-6418 and Google rarely makes these types of details public.
The other two flaws patched by Google on Monday with the release of Chrome 80.0.3987.122 have been described as an integer overflow in ICU and an out-of-bounds memory access issue in the streams component.
The integer overflow was reported by researcher André Bargull, who earned $5,000 for his findings, while the out-of-bounds bug was identified by Sergei Glazunov of Google Project Zero.
Several Chrome vulnerabilities have been exploited in attacks over the past year. One campaign involved the use of a Chrome zero-day to deliver a piece of malware as part of a Korea-linked campaign named Operation WizardOpium. Other Chrome vulnerabilities were exploited alongside a Windows zero-day.
Related: Firefox Zero-Day Exploited to Deliver Malware to Cryptocurrency Exchanges
Related: Tech Support Scammers Exploiting Unpatched Firefox Bug
Related: Mozilla Patches Firefox Zero-Day Exploited in Targeted Attacks
Related: Firefox Zero-Day Vulnerability Exploited in Targeted Attacks
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- Vulnerabilities in Honda eCommerce Platform Exposed Customer, Dealer Data
- Barracuda Urges Customers to Replace Hacked Email Security Appliances
- Google Patches Third Chrome Zero-Day of 2023
- ChatGPT Hallucinations Can Be Exploited to Distribute Malicious Code Packages
- AntChain, Intel Create New Privacy-Preserving Computing Platform for AI Training
- Several Major Organizations Confirm Being Impacted by MOVEit Attack
Latest News
- In Other News: AI Regulation, Layoffs, US Aerospace Attacks, Post-Quantum Encryption
- Blackpoint Raises $190 Million to Help MSPs Combat Cyber Threats
- Google Introduces SAIF, a Framework for Secure AI Development and Use
- ‘Asylum Ambuscade’ Group Hit Thousands in Cybercrime, Espionage Campaigns
- Evidence Suggests Ransomware Group Knew About MOVEit Zero-Day Since 2021
- SaaS Ransomware Attack Hit Sharepoint Online Without Using a Compromised Endpoint
- Google Cloud Now Offering $1 Million Cryptomining Protection
- Democrats and Republicans Are Skeptical of US Spying Practices, an AP-NORC Poll Finds
