As the vulnerability remediation experts we've made a practice of publishing remedies, fixes, and solutions for the more high-profile vulnerabilities we've come across over the years. This blog post will answer, "What is Google Chrome CVE-2020-15999?" but more importantly I'm excited to announce the availability of Vulcan Remedy Cloud as a free and curated database of vulnerability remedies that is open and completely searchable by the Vulcan community of vulnerability management professionals.
Even though Remedy Cloud might put me out of a job as an aspiring blogger, we fully expect this new database from Vulcan Cyber to provide substantial value to IT security pros everywhere.
So if you're still reading this instead of soaking up all the goodness of Remedy Cloud, here's what you need to know about this latest Google Chrome vulnerability. The Vulcan Cyber research team has seen attacks in the wild taking advantage of the new Google Chrome zero-day CVE-2020-15999 are reported. The suggested remedy is to update your browser as soon as possible.
What is the Google Chrome zero day CVE-2020-15999 vulnerability?
CVE-2020-15999 is a heap buffer overflow vulnerability in Freetype, which is a popular open-source library for Chrome font rendering.
The vulnerability was discovered and reported by security researcher Sergei Glazunov of Google Project Zero on October 19.
According to details shared by Glazunov, the vulnerability exists in the FreeType function "Load_SBit_Png" which processes PNG images embedded into fonts. It can be exploited by attackers to execute arbitrary code by using specifically crafted fonts with embedded PNG images. Glazunov also published a font file with a proof-of-concept exploit.
Does CVE-2020-15999 affect me?
If you are using Google Chrome browser under 86.0.4240.111 version on Windows, Mac, or Linux computers, you are vulnerable.
Has the CVE-2020-15999 vulnerability been actively exploited in the wild?
Google is aware of exploit attempts in the wild but has not provided technical details. Ben Hawkes, the technical lead for Google Project Zero, warned on Twitter that while the team has only spotted an exploit targeting Chrome users, it's possible that other projects that use FreeType might also be vulnerable and are advised to deploy the fix included in FreeType version 2.10.4.
How do I remediate the CVE-2020-15999 vulnerability?
Update google Chrome to the stable 86.0.4240.111 version. This new version also patches different vulnerabilities alongside CVE-2020-15999 such as:
- CVE-2020-16000 / High / Inappropriate implementation in Blink.
- CVE-2020-16001 / High / Use after free in media.
- CVE-2020-16002 / High / Use after free in PDFium.
- CVE-2020-16003 / Medium / Use after free in printing.
If you are using Freetype:
- Update FreeType to version 2.10.4.
- Adopt the fix discussed here.