Not long after fixing the first zero-day vulnerability, Google Chrome has now fixed another zero-day vulnerability in its system. The vulnerability is tracked as CVE-2020-16009. Google has notified that they know of it being exploited in the wild. Along with this vulnerability, 9 more bugs have been patched by Google in their current update.
But they have still not disclosed any information regarding the zero-day vulnerability or the group exploiting it.
Another chrome zero-day vulnerability in just 2 weeks
The current zero-day vulnerability has come within just two weeks of the last reported vulnerability. This vulnerability was brought to light by two people, viz. Clement Lecigne from Google’s Threat Analysis Group (TAG) and Samuel Groß from Google Project Zero. They reported the vulnerability on the 29th of October, 2020.
On the other hand, the previous vulnerability was reported just 9 days back on the 20th of October. Then too, to patch the vulnerability – CVE-2020-15999 – Chrome had released a security update. Though Chrome had reported both these vulnerabilities & the efforts made to mitigate their effects, they never admitted if the same group exploited both these vulnerabilities.
One chrome zero-day that only affects Android
Along with the 9 bugs and one zero-day vulnerability, CVE-2020-16010 Google Chrome has also fixed another zero-day issue. This was a sandbox escape vulnerability that only affected Chrome on Android devices. It affected the Android user interface or UI component of Chrome.
Chrome has also fixed this vulnerability in time & advised all android owners to update their Google Chrome to the 86.0.4240.185 version of the application to stay safe from exploiters.
Though Google has fixed the recent vulnerabilities, the question remains if they have been fixed completely. Google has not provided any details of the vulnerabilities & how they’ve been exploited. Since Google Chrome is a widely used application throughout the world, such vulnerabilities can tarnish its reputations & raise a number of questions as to Google’s competency at securing it’s users’ privacy.