Zero-day vulnerability detected in Google Chrome

Google’s information security team has just released a security update for the Chrome browser aiming to fix three critical flaws, including a zero-day vulnerability from which active exploit in the wild reports already exist. Technical details about these flaws and their exploitation are not yet disclosed; the consequences of the attack for users are also reserved information.

Although there are really few confirmed details, the information security community has been able to learn about a series of attacks detected on February 18th by researcher Clement Lecigne, a member of Google’s Threat Analysis Group. This is a special team that investigates and tracks the activities of the most dangerous hacker groups.

Chrome browser maintainers included patches to fix the unspecified zero-day vulnerability in the release of Chrome version 80.0.3987.122. Security patches are available for Windows, Linux, and Mac systems. The iOS, Android and Chrome OS operating systems have not yet been updated.

This flaw has been tracked as CVE-2020-6418, and it is only known that members of the Google team describe it as “a type confusion in V8”. This is a Chrome component responsible for processing JavaScript code. In information security, type confusion refers to coding errors during which an app initializes data execution operations using input of a specific type, but is tricked into treating input as if it were of a different type.

This confusion leads to logical errors in the application’s memory, generating the conditions conducive to the intervention of a threat actor, which will try to execute malicious code without restrictions within the target application.

According to the International Institute of Cyber Security (IICS), this is the third zero-day vulnerability in Chrome exploited in the wild in the last year. Previously, Google released security patches to fix two zero-day browser flaws:

  • CVE-2019-5786, in Chrome 72.0.3626.121
  • CVE-2019-13720, in Chrome 78.0.3904.8

The company is expected to reveal further details as the danger of exploitation has passed; it is worth mentioning that there are no exploit reports of the other two security flaws fixed in the latest version of Chrome.