Severity

High

Analysis Summary

Google has released Chrome 86.0.4240.111 to the Stable desktop channel to address five security vulnerabilities, one of which is an actively exploited zero-day bug. Google is aware of reports that an exploit for CVE-2020-15999 exists in the wild. Google also fixed three other high severity security vulnerabilities and a medium severity flaw in Chrome 86.0.4240.111:

• CVE-2020-16000: Inappropriate implementation in Blink
• CVE-2020-16001: Use after free in media
• CVE-2020-16002: Use after free in PDFium
• CVE-2020-16003: Use after free in printing

Impact

• Memory Corruption
• System Compromise

Affected Vendors

Google

Affected Products

Google Chrome versions prior to 86.0.4240.111

Remediation

• Google has released Chrome 86.0.4240.111 to fix the vulnerabilities.
• Windows, Mac, and Linux desktop users can upgrade to Chrome 86 by going to Settings -> Help -> About Google Chrome.
• The Google Chrome web browser will then automatically check for the new update and install it when available.

https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html

• Run all software as a non-privileged user to lower the risk associated with a successful attack.
• Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources via email or websites.