Mind the gap: Google patches holes in Chrome – exploit already out there for one of them after duo spot code fix

Mind the gap: Google patches holes in Chrome – exploit already out there for one of them after duo spot code fix

Pair engineer malicious code from public source tweak before official binary releases


Google has updated Chrome for Linux, Mac, and Windows to address three security vulnerabilities – and exploit code for one of them is already public, so get patching.


In a release note on Monday, Krishna Govind, a test engineer at Google, said Chrome version 80.0.3987.122 addresses three flaws identified by various researchers. Each is rated high severity.


One, reported by André Bargull, is an integer-overflow bug in International Components for Unicode (ICU), a set of libraries for C/C++ and Java that handle Unicode and globalization support. This bug earned a $5,000 bounty from Google for Bargull, and no CVE has been issued.


The second flaw, reported by Sergei Glazunov of Google's Project Zero team, is an out-of-bounds memory access in the streams component of the Chromium browser. It's designated CVE-2020-6407.


The third, reported by Clement Lecigne of Google's Threat Analysis Group, is a type-confusion bug in the TurboFan compiler for V8, the open-source Chromium JavaScript engine.


This particular remote-code execution vulnerability, CVE-2020-6418, was disclosed by Lecigne to the Chromium team on February 18, and quietly fixed a day later.


If you're running Windows, I feel bad for you, son. Microsoft's got 99 problems, better fix each one


google patches holes chrome exploit already there after