Summary:
In last week of February,2020, a type confusion vulnerability in V8, Google Chrome’s open-source JavaScript and WebAssembly engine.
Description:
Details about these attacks are not yet public, and we don’t know how this bug (that has been restricted) is being used against Chrome users.
V8 is Chrome’s component that is responsible for processing JavaScript code. When there is/are logical error(s) in an application’s memory it suggests “type confusion” , that can lead an attacker to run unrestricted malicious code inside an application.
Generally speaking, when memory is manipulated, memory corruption vulnerabilities would occur without explicit data assignments triggering programming errors, which enable an adversary to execute arbitrary code on targeted devices.
Affected Products:
Google Chrome V8
Advisory:
https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html
Mitigation:
For Windows, Mac and Linux Google released Chrome version 80.0.3987.122 to address CVE-2020-6418.
Qualys customers can scan their network with QID(s)# 372408 to detect vulnerable assets. Kindly continue to follow on Qualys Threat Protection for more coverage on vulnerabilities.
References & Sources:
- https://bugs.chromium.org/p/chromium/issues/detail?id=1053604
- https://support.google.com/chrome/answer/95414?co=GENIE.Platform%3DDesktop&hl=en
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-6418
- https://www.zdnet.com/article/google-patches-chrome-zero-day-under-active-attacks/