Google stepped out of band this week to patch two Chrome zero-day vulnerabilities currently being exploited in the wild that researchers say if left unpatched could allow hackers to compromise user devices.
The company addressed CVE-2020-16009 on the desktop and released Chrome for Android version 86.0.4240.185 as a fix for CVE-2020-16010. that Chris Hazelton, director of security solutions at Lookout, said would allow “a remote attacker, who had compromised the renderer process [to] perform a sandbox escape using a crafted HTML page and successfully exploit the vulnerability, allowing an attacker to compromise the device.”
The Android vulnerability, which affects all versions but the most current, is the result of a heap buffer overflow flaw while processing untrusted HTML content in the UI in Google Chrome on Android that would allow attackers to mount data on to a buffer beyond its capacity and corrupt data to overwrite memory or a program function, resulting in a crash or memory corruption.
The two zero-day patches come on the heels of an October 20 fix for CVE-2020-15999, a Chrome desktop zero-day that Charles Ragland, security engineer at Digital Shadows, said, like CVE-2020-16009, is a vulnerability within the FreeType 2 library used for font rendering in Google Chrome and the V8 JavaScript engine used by Google Chrome. Attackers, he said, can exploit this vulnerability by sending a phishing email that contains a link to a site that hosts a malicious page with a modified font file. Combined with the prevalence of phishing campaigns that most organizations face, unpatched users are at significant risk because there’s evidence these vulnerabilities are being exploited in the wild.
Both Adobe and Oracle released patches this week as well. Adobe fixed critical, important and moderate vulnerabilities in the Adobe Reader and Acrobat for both Windows and the macOS.
Ragland said the Adobe updates addressed a total of 14 CVEs, and four were rated as critical. The critical vulnerabilities include a heap buffer overflow flaw (CVE-2020-24435), an out-of-bounds write flaw (CVE-2020-24436), and two use-after-free bugs (CVE-2020-24430 and CVE-2020-24437), all of which could enable arbitrary code execution. As of now, there’s no evidence that these vulnerabilities are being exploited in the wild.
In addition, between February 2018 and September 2020, Mandiant researchers tracked UNC1945 and reported flaws in Oracle Solaris. Mandiant reported the flaw (CVE-2020-14871) to Oracle, which the company addressed in its October 2020 Critical Patch Update. According to NIST, this easily exploitable vulnerability will let unauthenticated attackers with network access via multiple protocols compromise Oracle Solaris. Mandiant recommends that security teams stay current on all current patch updates to ensure a high security posture.
Oracle also released an update early this month for Enterprise Performance Management (EPM) 11.2.3. The update includes updated platform certifications; streamlines and simplifies the architecture, updating the underlying technology stack; and delivers a simplified repository configuration to streamline infrastructure and architecture for the future. Oracle will offer support through at least 2030. Today’s release also lists Oracle patches dating back to September 2019.