Two Chrome Zero Days, One Windows Kernel Zero Day Exploited in the Wild (CVE-2020-15999, CVE-2020-16009, CVE-2020-17087)

Over the last few weeks, Google has published two separate stable channel updates for the desktop version of Google Chrome. The first update, published on October 20, contained a fix for CVE-2020-15999, a heap buffer overflow vulnerability in a library used by the Chrome browser. The second update, published on November 2, contained a fix for CVE-2020-16009, an inappropriate implementation vulnerability in Google Chrome’s V8 JavaScript engine. Both of these vulnerabilities were exploited in the wild by attackers.

CVE-2020-15999 was also exploited as part of a vulnerability chain with CVE-2020-17087, a pool-based buffer overflow in the Windows Kernel Cryptography Driver, cng.sys. This vulnerability in the Windows Kernel has not yet been patched, but Google says it will be included as part of Microsoft’s upcoming Patch Tuesday for November.

All three vulnerabilities were discovered and reported by researchers on Google’s Project Zero Team, including Google’s Threat Analysis Group, which was credited with discovering CVE-2020-16009.

For more information about these vulnerabilities, including the availability of patches and Tenable product coverage, please visit our blog.