Google again fixes two zero days in Chrome
Google has again fixed two zero days in Chrome. The two vulnerabilities were in the JavaScript engine V8 and in the Site Isolation feature and were actively exploited, according to the company. It is the third time in a short time that zero days have been closed in Chrome.
These are two vulnerabilities that have been rated ‘High’, according to Chrome’s changelog 86.0.4240.198 for Windows, macOS and Linux. These are CVE-2020-16013 and CVE-2020-16017. No extensive details are known about the vulnerabilities at this time. Google does say that the first is a faulty implementation of V8, the JavaScript engine in Chrome. The other is a use-after-free vulnerability in the Site Isolation functionality. Google says both vulnerabilities were actively exploited, but does not provide details. It is therefore not known whether the vulnerabilities were only exploited together or separately.
The two leaks were discovered by outside security researchers, who received an unspecified reward for them. One leak was reported last Monday, the other on Wednesday.
Google has patched zerodays in the browser more often in recent times. In early November, it also closed two vulnerabilities in V8. In October, it turned out that there was an actively attacked vulnerability in the browser’s font library.