Google has released a new Chrome for Android update to fix a zero-day flaw that is currently exploited in the wild. The new update arrives just days after Google fixed two zero-day vulnerabilities in the desktop version of its Chrome browser. Details related to the attack are not yet public as a majority of Chrome for Android users are yet to install the update. Alongside the security fixes that include those rolled out initially for desktop users, the latest Chrome update also includes stability and performance improvements.
The latest Chrome for Android update carries version number 86.0.4240.185 that includes fixes for a heap buffer overflow vulnerability, listed as CVE-2020-16010. The issue exists in the user interface (UI) component of the Web browser.
“Google is aware of reports that an exploit for CVE-2020-16010 exists in the wild,” the company said in a blog post.
Google’s Project Zero team reported the highly severe vulnerability on October 31. Further, the Threat Analysis Group (TAG) at Google, responsible for tracking threat actors, has been credited for discovering the zero-day attacks related to Chrome for Android.
Details of the bug and its exploit are not yet revealed as the update is currently in its rollout process. However, Google said that the new version would become available for download through Google Play over the next few weeks.
Prior to the last update, Google patched another zero-day issue affecting its Chrome desktop version last month. That vulnerability, identified as CVE-2020-15999, impacted the FreeType font rendering library of the browser.
It is unclear whether the three zero-day bugs discovered in the last one month are exploited by a single threat actor or multiple groups. Having said that, users on both Android and desktop versions of the Chrome browser are recommended to install the latest updates as soon as they are available.