Google has released today a Chrome update to address three security bugs, including a zero-day vulnerability that is being actively exploited in the wild. Commenting on this Satnam Narang, Senior Research Engineer at Tenable said “Google is aware of reports that a type confusion vulnerability in Google Chrome’s open source JavaScript and WebAssembly engine, V8, has been exploited in the wild.
“At this stage, details about the vulnerability (CVE-2020-6418) are minimal. However, researchers have published a proof-of-concept exploit for the flaw. Typically, we see these types of vulnerabilities paired with a sandbox escape flaw, which can be used to gain arbitrary code execution. For instance, a type confusion vulnerability in Mozilla Firefox was exploited along with a sandbox escape vulnerability in June 2019 as part of targeted attacks. However, no further information about the possibility of a second vulnerability associated with this attack are currently available.
