Google has started rolling out a new security update for its Chrome browser on desktops. The new patch includes fixes to a total of 10 bugs in the browser, including a zero-day vulnerability — the second to have been noticed by Google’s Threat Analysis Group (TAG) that tracks threat actors in the last two weeks. As always, Google says that details of the bug and links won’t be revealed till a majority of Chrome users have installed the update and the vulnerabilities are also fixed in any related third-party library. A zero-day vulnerability refers to a recently discovered software security flaw that could have been already exploited by hackers.
The zero-day issue that the latest patch fixes is the second to be spotted in the last two weeks and the fourth in the last 12 months. Google had last released a security patch on October 20 to fix CVE-2020-15999 — an actively exploited memory corruption bug in the FreeType font rendering library within Chrome. A few days after releasing a security patch to fix it, Google on October 30 revealed that the zero-day CVE-2020-15999 was being exploited in conjunction with a windows zero-day vulnerability identified as CVE-2020-17087. While the malicious code was being executed inside Google Chrome, the Windows zero-day was increasing the code’s privileges to attack the Windows OS. Ben Hawkes, the technical lead of Google’s Project Zero, an elite team of bug hunters, has said that Microsoft is expected to issue a security patch to fix their security flaw on November 10.
While Google’s TAG did not reveal if the two bugs were being exploited by the same threat actors, it confirmed that the motive of the attackers was unrelated to the US presidential elections.