CVE-2020-6418: Google Chrome Type Confusion Vulnerability Exploited in the Wild
Google is aware of reports that a type confusion flaw in Google Chrome has been exploited in the wild.
Antecedentes
On February 24, Google released a new stable channel update for Google Chrome for Desktop to address several vulnerabilities, including one that has been reportedly exploited in the wild.
Análisis
CVE-2020-6418 is a type confusion vulnerability in V8, Google Chrome’s open-source JavaScript and WebAssembly engine. It was discovered and reported by Clément Lecigne, security engineer of Google’s Threat Analysis Group (TAG). Last year, Lecigne was credited with finding and reporting CVE-2019-5786, a use-after-free vulnerability in Google Chrome that was also exploited in the wild.
Google says it’s “aware of reports that an exploit” for this flaw “exists in the wild,” implying this may have been exploited as a zero-day.
Detailed information about the vulnerability is restricted at this time. Further information about this vulnerability may become available in the future, after users have had time to apply patches. We will update this blog post if and when this information becomes available.
Prueba de concepto
While this vulnerability has been exploited in the wild, at the time this blog post was published, there was no public proof-of-concept available.
Solución
Google released Chrome version 80.0.3987.122 for Windows, Mac and Linux to address CVE-2020-6418. Google also patched two additional vulnerabilities in this release, including CVE-2020-6407, an out-of-bounds memory access vulnerability and an integer overflow vulnerability that does not have an associated CVE identifier.
Identificación de los sistemas afectados
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Obtenga más información
Únase al Equipo de respuesta de seguridad de Tenable en Tenable Community.
Obtenga más información sobre Tenable, la primera plataforma de Cyber Exposure para el control integral de la superficie de ataque moderna.
Obtenga una prueba gratuita por 30 días de Tenable.io Vulnerability Management.
Artículos relacionados
CVE-2024-47575: Frequently Asked Questions About FortiJump Zero-Day in FortiManager and FortiManager Cloud
October 23, 2024Frequently asked questions about a zero-day vulnerability in Fortinet’s FortiManager that has reportedly been exploited in the wild.
From Bugs to Breaches: 25 Significant CVEs As MITRE CVE Turns 25
October 22, 2024Twenty five years after the launch of CVE, the Tenable Security Response Team has handpicked 25 vulnerabilities that stand out for their significance.
Oracle October 2024 Critical Patch Update Addresses 198 CVEs
October 15, 2024Oracle addresses 198 CVEs in its fourth quarterly update of 2024 with 334 patches, including 35 critical updates.
Securing Financial Data in the Cloud: How Tenable Can Help
November 4, 2024Preventing data loss, complying with regulations, automating workflows and managing access are four key challenges facing financial institutions. Learn how Tenable can help.
Cybersecurity Snapshot: Apply Zero Trust to Critical Infrastructure’s OT/ICS, CSA Advises, as Five Eyes Spotlight Tech Startups’ Security
November 1, 2024Should critical infrastructure orgs boost OT/ICS systems’ security with zero trust? Absolutely, the CSA says. Meanwhile, the Five Eyes countries offer cyber advice to tech startups. Plus, a survey finds “shadow AI” weakening data governance. And get the latest on MFA methods, CISO trends and Uncle Sam’s AI strategy.
FY 2024 State and Local Cybersecurity Grant Program Adds CISA KEV as a Performance Measure
October 31, 2024The CISA Known Exploited Vulnerabilities (KEV) catalog and enhanced logging guidelines are among the new measurement tools added for the 2024 State and Local Cybersecurity Grant Program.
- Vulnerability Management