Earlier this week, Google released an update on three security bugs, which include a zero-day vulnerability as well. According to Google, the vulnerability was being actively exploited in the wild. The tech giant has patched the zero-day bug tied to memory corruptions, however, has kept the details hidden. The update does not explicitly accept whether the vulnerability was being used against Chrome users or not.

For now, all we know is that the issue was discovered last week by Clement Lecigne, a member of Google’s Threat Analysis Group. This division investigates and tracks threat actor groups.

clem1@_clem1

Found and analyzed with a lot of help from @5aelo and Sergei. https://twitter.com/anttitikkanen/status/1232070933063577600 

Antti Tikkanen@anttitikkanen

Latest Chrome update patches CVE-2020-6418, 0day found in the wild by @_clem1 : https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html?m=1 

View image on Twitter

The vulnerability is said to affect Chrome running on the Windows, MacOS, and Linux platforms and is identified as CVE-2020-6418. The description called it “type confusion in V8.” For those who don’t know, V8 is Google Chrome’s component tied to its open-source JavaScript and Web Assembly engine. Other than this, a ‘type confusion’ is described as a coding bug that causes the application to initialize data execution operations using a specific type of input. The application is tricked into believing that the input is of another type. Hence, the bug leads to logical errors in the app’s memory.

The patches for this bug have been released as part of Chrome version 80.0.3987.122. This update is currently available for Windows, Mac, and Linux users, but not Chrome OS, iOS, and Android.

If we look back, this is the third Chrome Zero-day bug that was exploited. The first patch was released in March last year and the second in November.