On Wednesday, yesterday, Google followed up the Chrome security update from November 9 with another. It eliminates two security holes in the browser editions for Windows, Linux and macOS that are already actively being used. Users should ensure that the secured version 86.0.4240.198 is installed on their system as soon as possible. The Chrome team wants to make them available in the coming days and weeks. Incidentally, an update is also available for the Chromium-based Edge, which for the time being only closes the gap that was removed from Chrome on November 9th. We dedicate a separate message to the Edge update in the course of the morning.
As usual, the release announcement published by Google for the new Chrome version contains little information about the gaps. Public access to the bug tracker entries will only be possible after most users have received the update. This is intended to minimize the risk of active attacks on systems that are not yet protected. Both vulnerabilities (CVE-2020-16013 / “Inappropriate implementation in V8”, CVE-2020-16017 / “Use after free in site isolation”) were rated “High” according to CVSS. According to Google, exploits exist in the wild; However, the company does not provide details on the procedure or the scope of active attacks.
The frequency with which Google has to improve against actively exploited (previously) “zero days” is currently noticeably high. We only reported at the beginning of last week about attempted sandbox outbreaks and malware infections using two security holes. Previously, a “high” vulnerability in the FreeType library was attacked at the end of October. Users should therefore watch out for new versions very carefully and install them promptly.