If you’re an update laggard, buck up: Chrome zero-days are being exploited in the wild

Patch Google Chrome with the latest updates – if you don’t, you’re vulnerable to a zero-day that is actively being exploited, the US Cybersecurity and Infrastructure Security Agency (CISA) has warned.

Criminals are targeting users of Chrome with outdated installations, CISA said in an advisory note urging folk to update their browsers immediately.

“Google has released Chrome version 86.0.4240.183 for Windows, Mac, and Linux addressing multiple vulnerabilities, including vulnerability CVE-2020-16009. Exploit code for this vulnerability exists in the wild,” said the agency in a statement.

The vuln affects the desktop version of Chrome and is a remote code execution bug publicly uncovered by Google’s Project Zero infosec bods. It exists in V8, which is Google’s open-source JS and WebAssembly engine. Full details of the exploit are not yet in the public domain though the MITRE entry for CVE-2020-16009 states, at the time of writing, that it “allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page”.

Malicious people have clearly figured it out already despite the lack of information available to world+dog.

“Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild,” said the typically talkative Chocolate Factory.

Separate patches for the Android version of Chrome fix a similar actively exploited vuln tracked as CVE-2020-16010, explained only as a “heap buffer overflow in UI on Android”.

Regardless of the scanty information – easily explained by Google, quite responsibly, not wanting to hand every script kiddie on the internet information on how to pwn slow-to-update folk – users of Chrome on Android should ensure they are running version 86.0.4240.185. ®