Google has released Chrome 80 update that addresses three high-severity vulnerabilities, one of them has been exploited in the wild.

Google has released Chrome 80 update (version 80.0.3987.122) that addresses three high-severity vulnerabilities, including a zero-day issue (CVE-2020-6418) that has been exploited in the wild. The CVE-2020-6418 vulnerability is a type confusion issue that affects the V8 open source JavaScript engine used by the Chrome browser.

Google did not disclose details of the attack exploiting this zero-day flaw to avoid other threat actors will start to exploit it. The vulnerability was discovered by Clement Lecigne from the Google Threat Analysis Group.

Found and analyzed with a lot of help from @5aelo and Sergei. https://t.co/qeBkjsao4o — clem1 (@_clem1) February 25, 2020

The remaining flaws fixed by Google are an integer overflow in ICU and an out-of-bounds memory access issue in the streams component.

The integer overflow was reported by the security expert André Bargull, who was awarded $5,000 for its discovery.

The out-of-bounds vulnerability addressed with the release of Chrome 80 update (version 80.0.3987.122) was discovered by Sergei Glazunov of Google Project Zero.

This is the third Chrome zero-day that has been exploited by threat actors in the wild in the past year.

In February 2019, Clement Lecigne discovered a high severity zero-day flaw in Chrome that could be exploited by a remote attacker to execute arbitrary code and take full control of the target computer.

The vulnerability tracked as CVE-2019-5786 resides in the web browsing software and impact all major operating systems including Windows, Apple macOS , and Linux.

In November 2019, Google released security updates to address two high severity vulnerabilities in the Chrome browser, one of which is a zero-day flaw actively exploited in attacks in the wild to hijack computers.

One of the flaw, tracked as CVE-2019-13720, was exploited in a campaign that experts attribute to Korea-linked threat actors.

Pierluigi Paganini

(SecurityAffairs – hacking, Google Chrome)