Analysis of examples of Google fixing Chrome 0-day vulnerabilities under active attacks

In the Chrome update on the 25th, Google fixed three security vulnerabilities, including a 0-day vulnerability that was being actively exploited.

Details about these attacks and how the vulnerability was exploited against Chrome users have not been made public.

The attacks were discovered on February 18 by Clement Lecigne, a member of Google’s threat analysis team. Google's Threat Analysis Group is the team responsible for investigating and tracking malicious activity.

The 0-day vulnerability has been fixed in Chrome version 80.0.3987.122. There are updates available for Windows, Mac and Linux users, but there is no patch available for ChromeOS, iOS and Android users.

The 0-day vulnerability number is CVE-2020-6418, and the vulnerability description is only "Type confusion in V8".

V8 is a component of Chrome that handles JavaScript code.

Type confusion refers to a coding vulnerability that occurs when an application uses input initialization data of a specific "type" to perform an operation, but is deceived into treating the input as a different "type".

A logical error in application memory due to "type confusion" could allow an attacker to run unrestricted malicious code in the application.

This is the third Chrome 0-day vulnerability to be actively exploited in the past year.

Google fixed the first Chrome 0-day vulnerability (CVE-2019-5786 in Chrome 72.0.3626.121) in March last year, followed by the second Chrome 0-day vulnerability (Chrome 72.0.3626.121) in November CVE-2019-13720 in 78.0.3904.8).

Although Chrome version 80.0.3987.122 provides two additional security updates, these two vulnerabilities have not yet been exploited. Users are advised to update Chrome as soon as possible.

The above is the detailed content of Analysis of examples of Google fixing Chrome 0-day vulnerabilities under active attacks. For more information, please follow other related articles on the PHP Chinese website!