Earlier today, Alphabet’s Google has released Chrome version 86.0.4240.111 for deployment of security fixes which includes actively exploited zero-day vulnerability patch.
The zero-day is described as a memory corruption bug in the FreeType font rendering library and is tracked as CVE-2020-15999 that’s included with standard Chrome distributions.
One of Google’s internal security teams found this FreeType bug in-the-wild attacks discovered by security researchers from Project Zero.
Project Zero team lead Ben Hawkes says it is a threat actor was spotted abusing this FreeType bug which led to an attack against Chrome users.
Now, Hawkes has also urged other app vendors who are using the same FreeType library to update their software. This is because if the threat actor decides to shift attacks against other apps, they will deal with same consequences.
Released earlier today, this patch has been included in FreeType 2.10.4.
App Chrome users can update their browser to v86.0.4240.111 via the built-in update function (Chrome menu< Help option< About Google Chrome section).
The finer details about CVE-2020-15999 active exploitation attempts are still not public. Google have the habit of sitting on any technical details for months which gives users enough time to update.
However, since the patch is visible in the source code of an open source project, FreeType it’s expected that threat actors will be reverse-engineer and come up with their own exploits within days or even weeks.
In the past twelve months, CVE-2020-15999 is the third zero-day exploited.