Zero Day Flaws in Chrome Could Lead to Remote Code Execution

Author: Melodie Foster

Date: 18th November 2020

A further two zero-day vulnerabilities have been found in Chrome which would allow an unauthenticated, remote attacker to compromise an affected system via the web. According to Google, both flaws are actively being exploited which brings the total of actively exploited flaws found in Chrome within the last three weeks to five.

Both flaws have a CVSS score of 8.4 out of 10 and have a severity rating of “high”, and a stable release patching the two flaws (CVE-2020-16013 and CVE-2020-16017). will be rolled out over the next weeks.

To exploit CVE-2020-16017, researchers have said that by creating a specific web page and tricking the victim into visiting it, an attacker can trigger use-after-free error and execute arbitrary code on the target system.

The second flaw, however, has been described by Google as an “inappropriate implementation in V8,” whereby the software does not implement or incorrectly implements one or more security-relevant checks.[1]

Users are advised to update their Chrome browsers to the latest version (86.0.4240.198) as soon as possible… Like now… stop reading this article and update Chrome. If you have automatic updates enabled, your browser should update by itself. Otherwise, you’ll have to do it manually by navigating to the About Google Chrome section, which can be found under Help in the side menu.

If you use Microsoft’s Chromium based Edge browser, then update to version 86.0.622.69.

[1] https://threatpost.com/2-zero-day-bugs-google-chrome/161160/

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

Zero Day Flaws in Chrome Could Lead to Remote Code Execution

Author: Melodie Foster

Date: 18th November 2020

Other resources

Cyberfort Colocation Services

What can Cyberfort do for you?

Cyberfort Deep Dives

Recent Posts

Recent Comments

Archives

Categories

Meta