It's time to update Google Chrome and related browsers once again: Google has just released a fix for the second actively exploited Chrome zero-day security flaw in two weeks. The fix applies to Windows, macOS and Linux.
"CVE-2020-16009 is a v8 bug used for remote code execution," wrote Google Project Zero technical lead Ben Hawkes on Twitter yesterday (Nov. 2). He was referring, respectively, to the flaw's catalog number, the Chrome component that handles JavaScript and the fact that the flaw can be exploited over the internet.
- See the best Chromebooks you can buy
- The best Black Friday deals now
- How to watch US Presidential Election: Live stream Election Day 2020
"Google is aware of reports that an exploit for CVE-2020-16009 exists in the wild," wrote Chrome technical program manager Prudhvikumar Bommana in an official blog post listing the security fixes in Chrome version 86.0.4240.183.
That's all Bommana or Hawkes would say about this vulnerability. The Chromium bug entry with more details is locked to all but Chrome developers, as you might expect with a flaw that's not totally been fixed.
Today Chrome fixed two more vulnerabilities that were being actively exploited in the wild (discovered by Project Zero/Google TAG last week). CVE-2020-16009 is a v8 bug used for remote code execution, CVE-2020-16010 is a Chrome sandbox escape for Android. https://t.co/IOhFwT0Wx1November 2, 2020
Chromium is the open-source code that runs underneath Brave, Chrome, Edge, Opera, Vivaldi and many other browsers that aren't named Firefox or Safari.
Google fixed a previous, technically unrelated, zero-day flaw two weeks ago (Oct. 20), and related browsers quickly followed suit. ("Zero-day" means that developers have no time to fix a flaw before bad guys start using it in attacks.)
Just this past Friday (Oct. 30), however, Google revealed a Windows zero-day flaw that was being used in combination with the first Chrome flaw to hijack PCs via malicious websites. It's not clear if yesterday's new flaw has anything to do with those attacks.
How to manually update Chrome and its siblings
Most installations of Chrome and Chromium variants will update themselves if you close the browser and then relaunch it again, although not all Chromium variants may yet have released new versions to patch this flaw.
At the time of this writing, Brave had not released an update, but Edge had a new update for which details were not immediately available.
To manually start a Chrome or Chromium-based update, find and click on the three lines or dots in the top right of the browser window. Scroll down to About, or Help --> About, and select About.
A new tab should open listing the version number of the browser you're running. If an new version is available, the browser will automatically download it and prompt you to relaunch.
You want to update to version 86.0.4240.183 in Chrome or Brave, although the latter doesn't have that version ready yet. In Edge, the latest version is 86.0.622.61.
Android flaw also fixed
In his tweets, Hawkes revealed that Chrome for Android was also being updated to version 86.0.4240.18 to patch a separate flaw.
The update will roll out to different devices over the coming weeks, but our phone got the update last night. Android will prompt you that updates are available if it doesn't install them automatically.
