Pair engineer malicious code from public source tweak before official binary releases
Google has updated Chrome for Linux, Mac, and Windows to address three security vulnerabilities – and exploit code for one of them is already public, so get patching.
In a release note on Monday, Krishna Govind, a test engineer at Google, said Chrome version 80.0.3987.122 addresses three flaws identified by various researchers. Each is rated high severity.
One, reported by André Bargull, is an integer-overflow bug in International Components for Unicode (ICU), a set of libraries for C/C++ and Java that handle Unicode and globalization support. This bug earned a $5,000 bounty from Google for Bargull, and no CVE has been issued.
The second flaw, reported by Sergei Glazunov of Google's Project Zero team, is an out-of-bounds memory access in the streams component of the Chromium browser. It's designated CVE-2020-6407.
This particular remote-code execution vulnerability, CVE-2020-6418, was disclosed by Lecigne to the Chromium team on February 18, and quietly fixed a day later.
If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one
google patches holes chrome exploit already there after