Homeland Security cybersecurity agency says update Google Chrome as attackers home in on new security flaws.
Within the space of just three short weeks, Google has patched no less than five potentially dangerous vulnerabilities in the Chrome web browser.
These are not your common vulnerabilities either, but rather ones known as zero-days. A zero-day being a vulnerability that is being actively exploited by attackers while remaining unknown to the vendor or threat intelligence outfits.
Once the vendor becomes aware of the security flaw, day zero, it can start to mitigate against exploitation but not before. The attackers, therefore, have a head start.
What do we know about these zero-day Chrome flaws?
The latest two zero-days to be discovered are classed as high-severity in nature and affect Chrome for Windows, Mac and Linux.
The precise details of CVE-2020-16013 and CVE-2020-16017 have not yet been made public as Google restricts access to such information until the majority of users have updated.
However, the Department of Homeland Security cybersecurity agency, CISA, has advised that an attacker “could exploit one of these vulnerabilities to take control of an affected system.”
CVE-2020-16017, on the other hand, would appear to be a memory corruption vulnerability within the Chrome website sandboxing feature known as Site Isolation.
CISA urges users to update Google Chrome in light of ongoing attacks
The bad news is that attackers already know precisely what the vulnerabilities are and how to exploit them. CISA has confirmed that the security vulnerabilities have been “detected in exploits in the wild.”