Google has released security updates for the Chrome for Android browser to fix a zero-day vulnerability that is currently exploited in the wild.
Chrome for Android version 86.0.4240.185 was released last night with fixes for CVE-2020-16010, a heap buffer overflow vulnerability in the Chrome for Android user interface (UI) component.
Google said the bug was exploited to allow attackers to bypass and escape the Chrome security sandbox on Android devices and run code on the underlying OS.
Details about the attack are not public to give Chrome users more time to install the updates and prevent other threat actors from developing exploits for the same zero-day.
A few people noticed that CVE-2020-16010 wasn’t included in the link above. That’s because Chrome has separate release notes for Desktop and Android. The release notes covering CVE-2020-16010 (sandbox escape for Chrome on Android) are now available here: https://t.co/6hBKMuCAaK
— Ben Hawkes (@benhawkes) November 3, 2020
Google credited its internal Threat Analysis Group (TAG) team for discovering the Chrome for Android zero-day attacks.
This marks the third Chrome zero-day discovered by the TAG team in the past two weeks.
The first two zero-days affected only Chrome for desktop versions.
The first was patched on October 20, was tracked as CVE-2020-15999, and affected Chrome’s FreeType font rendering library.
In a follow-up report last week, Google said this first Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087) as part of a two-step exploit chain, with the Chrome zero-day allowing attackers to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code’s privileges and attack the underlying Windows OS.
On top of this, Google also patched a second zero-day yesterday. Tracked as CVE-2020-16009, this zero-day was described as a remote code execution in the Chrome V8 JavaScript engine.
Hours after the Chrome team released patches for this second zero-day, Google revealed a third zero-day, impacting only its Chrome for Android version.
While the three zero-days are all different from each other and impact different Chrome versions and components, Google did not clarify if all zero-days are exploited by the same threat actor or by multiple groups.
Such details are usually revealed months after patches, via reports published on Google’s Project Zero and Google Security blogs. In the meantime, Chrome users, both on Android and on desktop, should hurry to install the latest updates (v86.0.4240.185 on Android and v86.0.4240.183 on desktop).