Chrome / Brave / Vivaldi Zero Day Attack

I’m a few days after the actual Zero Day announcement, but it’s still early enough to matter.

Chrome has an exploitable bug in it. A patch does exist, but until you apply it / upgrade your browser, you are exposed.

Realize this is NOT just in Chrome. As Chromium (the open source version) is the base for several other browsers, they too are exposed. This includes Brave and Vivaldi browsers AND Edge from Microsoft. In total, about 1 BILLION devices are exposed.

It is a relatively “meat and potatoes” buffer overflow exploit that can lead to running arbitrary code and then privilege escalation. Essentially, you can take over the whole system. Note that more recent Linux kernels have protection against such privilege escalation so the biggest risk is Microsoft Edge on their OS or Chromium on older Linux kernels. (Like Chrome on an older Android device)

That said, if you practice reasonable habits of paranoia, like running load / process monitors that you look at often, and shutting down quickly if something strange happens (like sudden sluggishness or software acting broken) you can interrupt such attacks before they are fully engaged.

For me, I’m shifting my primary use to FireFox until I’ve got things on patched versions.

Google’s own Chrome browser has just been patched for a brand new – obviously – zero-day vulnerability in the software’s FreeType font rendering library.

The bug was reportedly already exploited in the wild

According to Sergei Glazunov of Google Project Zero the bug is a type of memory-corruption flaw called a heap buffer overflow in FreeType.

Glazunov informed Google of the vulnerability Monday. Project Zero is an internal security team at the company aimed at finding zero-day vulnerabilities.

Fortunately for all Chrome users, Google has already released a stable channel update, Chrome version 86.0.4240.111, that deploys five security fixes for Windows, Mac and Linux.

Among them also the fix for the zero-day that Glazunov discovered (classified as CVE-2020-15999).

As Google themselves acknowledged, in the blog post regarding the update, they are fully aware that the exploit exists and are urging everybody to update as soon as possible.

On the subject, Ben Hawkes, technical lead for the Project Zero team, warned that while Google researchers only observed the Chrome exploit, it’s possible that other implementations of FreeType might be vulnerable as well since Google was so quick in its response to the bug.

Note that even non-browser applications can be using FreeType. The attack vector choices are huge. I’m not real keen on how many bugs have been shown to be exploits in Chrome lately, especially given how many folks base their browsers on it.

Other than CVE-2020-15999, Google patched four other bugs, as you care read below (with the bug huners payout inclued):

[$500][1125337] High CVE-2020-16000: Inappropriate implementation in Blink. Reported by amaebi_jp on 2020-09-06
[$TBD][1135018] High CVE-2020-16001: Use after free in media. Reported by Khalil Zhani on 2020-10-05
[$TBD][1137630] High CVE-2020-16002: Use after free in PDFium. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2020-10-13
[$3000][1134960] Medium CVE-2020-16003: Use after free in printing. Reported by Khalil Zhani on 2020-10-04

Considering the last few months, this is the third zero-day that has been patched by Google in its Chrome browser.

Prior to this week’s FreeType disclosure, the first was a critical remote code execution vulnerability (CVE-2019-13720), and the second was a type of memory confusion bug tracked as CVE-2020-6418 that was fixed in February of this year.

The other good hygiene thing I do is not visiting dodgy web sites (and using different systems for different tasks so if I did get attacked, they would find, for example, a Raspberry Pi with nothing but Linux downloads, or an Odroid XU4 with a lot of temperature data on it.) Segmenting your work across different systems works. Made much easier by effective desktop SBCs that cost under $60 and where you can swap system images for the cost of a uSD card (about $8).

To see if your favorite Web Browser is likely to be at risk, look for “Blink” in the “Layout Engine” column of this list:

FWIW, I don’t know the degree to which this exploit is limited to particular architectures of CPUS. That is, I don’t know if Intel vs ARM vs PPC vs “whatever” matters.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits. Bookmark the permalink.

6 Responses to Chrome / Brave / Vivaldi Zero Day Attack

  1. Nancy & John Hultquist says:

    MS Edge had an update yesterday or maybe even Friday.
    So I did it just now. 8:20 am Monday.
    Hope that was the fix.

  2. E.M.Smith says:

    It ought to be. The fix was known several days ago so it ought to be in any major vendor browser by now.

    I have to figure out how to update Brave in my “no longer supported” Tablet. It may be time for me to take on the conversion to Linux for it.

  3. tom0mason says:

    E.M. Thanks for the info. much appreciated.
    All browsers now updated.

  4. philjourdan says:

    My work computer is still Windows 7 (for at least another week), so edge is out. My primary browser is Pale Moon (to get into work sites since Brave has a problem with some Java).

    I use Brave for Foxnews and the local weather site. SO I should be ok for another week until I get my windows 10 box. Thanks for the heads up.

  5. E.M.Smith says:

    The MS browser pre Edge does not have this exposure, and Pale Moon us a FireFox derivative IIRC, so it too is exempt. Sounds to me like you don’t have this bug!

  6. philjourdan says:

    Pale Moon is a FF derivative. It is based on the 56 release. So I do have Chrome, but only use that for internal sites (it is only one of 2 browsers sanctioned by the company).

Comments are closed.