The CyberRisk Summit is back: Join us on Dec 6. as we recap the cyber risk landscape in 2022 | Get free ticket >> 

Live webinar, Oct 13: Attend to learn how you can deduplicate vulnerability and deliver a smarter approach to cyber risk management  | Register  >>

New report: Mapping MITRE ATT&CK framework to CVEs |  Read more  >>

Voyager18 (research)

What is the Google Chrome CVE-2020-15999 vulnerability?

Get suggested remedies from the Vulcan Cyber research team to fix the latest Google Chrome zero day vulnerability.

[email protected] | November 05, 2020

As the vulnerability remediation experts we've made a practice of publishing remedies, fixes, and solutions for the more high-profile vulnerabilities we've come across over the years. This blog post will answer, "What is Google Chrome CVE-2020-15999?" but more importantly I'm excited to announce the availability of Vulcan Remedy Cloud as a free and curated database of vulnerability remedies that is open and completely searchable by the Vulcan community of vulnerability management professionals.

For example, instead of reading this post you can simply search for "CVE-2020-15999" in Remedy Cloud and get this result: https://www.remedy-cloud.com/cve/CVE-2020-15999

Even though Remedy Cloud might put me out of a job as an aspiring blogger, we fully expect this new database from Vulcan Cyber to provide substantial value to IT security pros everywhere.

So if you're still reading this instead of soaking up all the goodness of Remedy Cloud, here's what you need to know about this latest Google Chrome vulnerability. The Vulcan Cyber research team has seen attacks in the wild taking advantage of the new Google Chrome zero-day CVE-2020-15999 are reported. The suggested remedy is to update your browser as soon as possible.

What is the Google Chrome zero day CVE-2020-15999 vulnerability?

CVE-2020-15999 is a heap buffer overflow vulnerability in Freetype, which is a popular open-source library for Chrome font rendering.

The vulnerability was discovered and reported by security researcher Sergei Glazunov of Google Project Zero on October 19.

According to details shared by Glazunov, the vulnerability exists in the FreeType function "Load_SBit_Png" which processes PNG images embedded into fonts. It can be exploited by attackers to execute arbitrary code by using specifically crafted fonts with embedded PNG images. Glazunov also published a font file with a proof-of-concept exploit.

Does CVE-2020-15999 affect me?

If you are using Google Chrome browser under 86.0.4240.111 version on Windows, Mac, or Linux computers, you are vulnerable.

Has the CVE-2020-15999 vulnerability been actively exploited in the wild?

Google is aware of exploit attempts in the wild but has not provided technical details. Ben Hawkes, the technical lead for Google Project Zero, warned on Twitter that while the team has only spotted an exploit targeting Chrome users, it's possible that other projects that use FreeType might also be vulnerable and are advised to deploy the fix included in FreeType version 2.10.4.

How do I remediate the CVE-2020-15999 vulnerability?

Update google Chrome to the stable 86.0.4240.111 version. This new version also patches different vulnerabilities alongside CVE-2020-15999 such as:

  • CVE-2020-16000 / High / Inappropriate implementation in Blink.
  • CVE-2020-16001 / High / Use after free in media.
  • CVE-2020-16002 / High / Use after free in PDFium.
  • CVE-2020-16003 / Medium / Use after free in printing.

If you are using Freetype: