Chrome version 86.0.4240.198 for Windows, Mac, and Linux has been released by Google in order to patch two zero-day vulnerabilities that were exploited in the wild.
These two vulnerabilities tracked as CVE-2020-16013 and CVE-2020-16017 are the fourth and fifth zero-days that Google has patched in Chrome web browser for desktop over the past three weeks.
The latest two new zero-days was reported to Google by anonymous sources, whereas the first three zero-days were discovered internally by Google’s Project Zero elite security team.
More details about the attacks where the Chrome two zero-days have been used have not been made public to allow the users to install the patches.
The two vulnerabilities are
CVE-2020-16017 : It is a “use after free” memory corruption bug in the Chrome’ Site Isolation feature which isolates each site’s data from one another.
It is not known whether the two vulnerabilities were used together, as part of an exploit chain, or used individually.
Over the past weeks, Google also patched:
CVE-2020-15999 : a zero-day in Chrome’s FreeType font rendering library which was utilized together with a Windows zero-day (CVE-2020-17087), which Microsoft patched yesterday.
CVE-2020-16010 : a zero-day in Chrome for Android, impacting the browser’s user interface (UI) component.
Even though it is not clear about the danger that it imposes on regular users, Chrome users are still highly recommended to update to v86.0.4240.198 through Chrome’s built-in update function at the earliest.