CVE-2020-6418: Google Chrome Type Confusion Vulnerability Exploited in the Wild
Google is aware of reports that a type confusion flaw in Google Chrome has been exploited in the wild.
Contexto
On February 24, Google released a new stable channel update for Google Chrome for Desktop to address several vulnerabilities, including one that has been reportedly exploited in the wild.
Análise
CVE-2020-6418 is a type confusion vulnerability in V8, Google Chrome’s open-source JavaScript and WebAssembly engine. It was discovered and reported by Clément Lecigne, security engineer of Google’s Threat Analysis Group (TAG). Last year, Lecigne was credited with finding and reporting CVE-2019-5786, a use-after-free vulnerability in Google Chrome that was also exploited in the wild.
Google says it’s “aware of reports that an exploit” for this flaw “exists in the wild,” implying this may have been exploited as a zero-day.
Detailed information about the vulnerability is restricted at this time. Further information about this vulnerability may become available in the future, after users have had time to apply patches. We will update this blog post if and when this information becomes available.
Prova de conceito
While this vulnerability has been exploited in the wild, at the time this blog post was published, there was no public proof-of-concept available.
Solução
Google released Chrome version 80.0.3987.122 for Windows, Mac and Linux to address CVE-2020-6418. Google also patched two additional vulnerabilities in this release, including CVE-2020-6407, an out-of-bounds memory access vulnerability and an integer overflow vulnerability that does not have an associated CVE identifier.
Identificação de sistemas afetados
A list of Tenable plugins to identify these vulnerabilities will appear here as they’re released.
Obtenha mais informações
Junte-se à equipe de resposta de segurança da Tenable na Tenable.
Saiba mais sobre a Tenable, a primeira plataforma de Cyber Exposure para o gerenciamento holístico da sua superfície de ataque moderna.
Obtenha uma avaliação gratuita por 30 dias do Vulnerability Management da Tenable.io.
Artigos relacionados
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: Latest MITRE ATT&CK Update Offers Security Insights on GenAI, Identity, Cloud and CI/CD
April 26, 2024Check out what’s new in Version 15 of the MITRE ATT&CK knowledge base of adversary tactics, techniques and procedures. Plus, learn the latest details about the Change Healthcare breach, including the massive scope of the data exfiltration. In addition, why AI cyberthreats aren’t impacting CISOs’ budgets. And much more!
CVE-2024-20353, CVE-2024-20359: Frequently Asked Questions About ArcaneDoor
April 25, 2024Frequently asked questions about CVE-2024-20353 and CVE-2024-20359, two vulnerabilities associated with “ArcaneDoor,” the espionage-related campaign targeting Cisco Adaptive Security Appliances.
CVE-2024-4040: CrushFTP Virtual File System (VFS) Sandbox Escape Vulnerability Exploited
April 23, 2024A zero-day vulnerability in CrushFTP was exploited in the wild against multiple U.S. entities prior to fixed versions becoming available as the vendor recommends customers upgrade as soon as possible.
- Vulnerability Management