Many of the exploits discovered by cyber security researchers are often found and patched before the public is even made aware of the problem or actual exploits are found out in the wild. A recently discovered flaw reported by Sergei Glazunov of Google’s Project Zero earlier this week, however, was actively being exploited according to a post on the Chrome Releases Google blog. Buried towards the end of the post, it states, “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild.”
CVE-2020-15999 was already patched along with a handful of other security bugs found in Google’s popular Chrome browser and Chrome OS (the operating system used on Chromebooks). CVE-2020-15999 is a 0-day heap buffer overflow memory corruption bug present s in the FreeType font rendering library, which is a part of Google Chrome and Chrome OS releases.
The Technical Lead for Google’s Project Zero, Ben Hawkes, tweeted information about the flaw along with a follow up explanation that it exists in FreeType, but that too has been patched, “While we only saw an exploit for Chrome, other users of FreeType should adopt the fix discussed here — the fix is also in today’s stable release of FreeType 2.10.4.”, Hawkes said.
Google Chrome and Chrome OS should update automatically when a patch is available and either the browser or OS is restarted. Should you want to check your installation (and manually trigger an update), simply open Chome, click the meatball menu (the three dots at the upper right, across from the address bar), go to Help, and then About Google Chrome. When you open the About page, the browser will check for updates and report what version is installed. Chrome v86.0.4240.111 and Chrome OS v86.0.4240.112 (Platform version: 13421.73.0) are the latest, which incorporate the necessary fix.