Google has released Chrome 86.0.4240.111 today, October 20th, 2020, to the Stable desktop channel to address five security vulnerabilities, one of them an actively exploited zero-day bug.“Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild,” the Google Chrome 86.0.4240.111 announcement reads.This version is rolling out to the entire userbase during the next days/weeks. Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome.The Google Chrome web browser will then automatically check for the new update and install it when available.
Freetype zero-day bug under active exploitation
“Project Zero discovered and reported an actively exploited 0day in freetype that was being used to target Chrome,” said Ben Hawkes, technical team lead of Google’s ‘Project Zero’ security research team.“While we only saw an exploit for Chrome, other users of freetype should adopt the fix discussed here: https://savannah.nongnu.org/bugs/?59308 — the fix is also in today’s stable release of FreeType 2.10.4,” Hawkes added.The heap buffer overflow zero-day bug found in the popular FreeType text rendering library has been reported by Google Project Zero’s Sergei Glazunov on October 19.According to Glazunov’s report, the vulnerability “exists in the function `Load_SBit_Png`, which processes PNG images embedded into fonts.”The Load_SBit_Png FreeType function:1) Obtains the image width and height from the header as 32-bit integers.
2) Truncates the obtained values to 16 bit and stores them in a `TT_SBit_Metrics` structure.
3) Uses the truncated values to calculate the bitmap size.
4) Allocates the backing store of that size.
5) Passes `png_struct` and the backing store to a libpng function.
“The issue is that libpng uses the original 32-bit values, which are saved in `png_struct`,” Glazunov further explained. “Therefore, if the original width and/or height are greater than 65535, the allocated buffer won’t be able to fit the bitmap.”Full technical details for this actively exploited zero-day vulnerability should be released on Project Zero’s issue tracker on October 26.