Serious Chrome Security Flaw Revealed — How to Update Now

Serious Chrome Security Flaw Revealed — How to Update Now

Dear Google Chrome users: there is a security flaw that is currently being used in active attacks.

The flaw is in the FreeType font library underlying Chrome and all Chromium-based browsers, including Brave, the new Microsoft Edge, Opera, Vivaldi, and many others.

There is a mistake in the way the FreeType library handles image sizes, causing a memory buffer overflow that could allow hackers or malicious websites to execute malicious code and take over the browser.

"The stable channel has been updated to 86.0.4240.111 for Windows, Mac and Linux and will be rolled out over the next few days/weeks," Google Technical Program Manger Prudhvikumar Bommana wrote on the official Chrome blog on Tuesday (October 20).

Since the flaw is in Chrome's open source foundation, Chromium, other Chromium-based browsers will also need to be updated. As of this writing on October 21, no updates have been found for Brave and Edge.

To manually update Chrome on Windows and macOS, in most cases restarting the browser will automatically install the update, if available. (If not, click on the three dots in the upper right corner of the browser window, move the pop-up window down to "Help" and click on "About Google Chrome". A new tab will open and the update will begin, if available.

The update procedure is the same for Brave; for Edge, go to "Three Dots" > "Settings" > "About Microsoft Edge". Other Chromium-derived browsers may have different update procedures.

On Linux, updating Chrome depends on the distribution. (On Ubuntu, Chrome updates are incorporated into regular daily updates as long as the update manager is properly configured.) On mobile devices, the app will prompt for updates when they become available.

The FreeType flaw, listed as CVE-2020-15999 and classified as "high" severity, was discovered by Google's own Sergei Glazunov. Neither Bommana nor Glazunov have disclosed details about who is exploiting the flaw, but Google plans to release technical details on October 26.

However, since Glazunov posted the code for the patch on the FreeType developers' forum, it is likely that other attackers will figure out what the problem is and create their own exploits.

The desktop version of Chrome 86.0.4240.111 patches four other security flaws.

Bommana did not mention Chrome on mobile devices, but our Chrome for Android was updated to version 86.0.4240.110 this morning. Our Chromebook updated to version 85.0.4183.131, which seems to be potentially different.

Categories