Google has released Chrome 86.0.4240.111 today, October 20th, 2020, to the Stable desktop channel to address five security vulnerabilities, one of them an actively exploited zero-day bug. “Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild,” the Google Chrome 86.0.4240.111 announcement reads. This version is rolling out to the entire userbase during the next days/weeks. Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome. The Google Chrome web browser will then automatically check for the new update and install it when available. Chrome 86.0.4240.111

Freetype zero-day bug under active exploitation

“Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome,” said Ben Hawkes, technical team lead of Google’s ‘Project Zero’ security research team. “While we only saw an exploit for Chrome, other users of freetype should adopt the fix discussed here: — the fix is also in today’s stable release of FreeType 2.10.4,” Hawkes added. The heap buffer overflow zero-day bug found in the popular FreeType text rendering library has been reported by Google Project Zero’s Sergei Glazunov on October 19. According to Glazunov’s report, the vulnerability “exists in the function `Load_SBit_Png`, which processes PNG images embedded into fonts.” The Load_SBit_Png FreeType function:
1) Obtains the image width and height from the header as 32-bit integers. 2) Truncates the obtained values to 16 bit and stores them in a `TT_SBit_Metrics` structure. 3) Uses the truncated values to calculate the bitmap size. 4) Allocates the backing store of that size. 5) Passes `png_struct` and the backing store to a libpng function.
“The issue is that libpng uses the original 32-bit values, which are saved in `png_struct`,” Glazunov further explained. “Therefore, if the original width and/or height are greater than 65535, the allocated buffer won’t be able to fit the bitmap.”

Full technical details for this actively exploited zero-day vulnerability should be released on Project Zero’s issue tracker on October 26.

Four other security flaws addressed

Google also fixed three other high severity security vulnerabilities and a medium severity flaw in Chrome 86.0.4240.111: • CVE-2020-16000: Inappropriate implementation in Blink (reported by amaebi_jp on September 6) • CVE-2020-16001: Use after free in media (reported by Khalil Zhani on October 15) • CVE-2020-16002: Use after free in PDFium (reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on October 13) • CVE-2020-16003: Use after free in printing (reported by Khalil Zhani on October 4)