Google has rolled out a new update for its Chrome browser. The latest version, 86.0.4240.198, comes with a patch for at least two zero-day vulnerabilities. The company confirmed that these bugs were exploited in the wild.
Interestingly, the latest update comes in a span of three weeks of Google rolling out multiple updates for similar zero-day vulnerabilities. According to CNET, the two new vulnerabilities were flagged by anonymous sources. The older three zero-days were brought to Google’s attention by its own Project Zero team.
Google has not elaborated how the new vulnerabilities work. According to the Chrome 86.0.4240.198 changelog, the first vulnerability tracked as CVE-2020-16013, is described as an “inappropriate implementation in V8,” where V8 is the Chrome component that handles JavaScript code.
The second vulnerability, tracked as CVE-2020-16017, is described as a “use after free” memory corruption bug in Site Isolation, the Chrome component that isolates each site’s data from one another.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” said Google in a blog post.
Google’s latest update to Chrome browser is available for Windows, Mac and Linux. The update will be rolled out over the coming days and weeks.
Separately, Microsoft has also rolled out a massive update for Windows users that brings fixes for as many as 112 different vulnerabilities. The November 2020 Patch also includes a fix for a zero-day privilege escalation vulnerability that was flagged by Google’s Project Zero team recently.
