Heads up, Google Chrome users: Patch your browsers if you can, because there’s a security flaw that is currently being used in active attacks.
The flaw is in the FreeType font library that underlies Chrome and all Chromium-based browsers, including Brave, the new Microsoft Edge, Opera, Vivaldi and dozens of others.
A mistake in the way the FreeType library handles image sizes permits a memory buffer overflow, permitting hackers and malicious websites to run unauthorized code and possibly take over the browser.
“The stable channel has been updated to 86.0.4240.111 for Windows, Mac & Linux which will roll out over the coming days/weeks,” wrote Google Technical Program Manger Prudhvikumar Bommana on the official Chrome blog Tuesday (Oct. 20).
Because the flaw lies in Chromium, the open-source underpinnings of Chrome, other Chromium-based browsers will need to be updated as well. We didn’t see any updates available for Brave or Edge as of this writing Oct. 21.
How to update Chrome
To update Chrome manually on Windows and macOS, you can in most cases just relaunch your browser and the update will install automatically if an update is available. (It was available for Chrome on our primary Windows PC.)
Otherwise, click the three stacked dots at the upper right corner of the browser window, move down the pop-up windows to Help, then click About Google Chrome. A new tab will open and start the update if one is available, after which you have to relaunch the browser.
The update procedure is the same in Brave. In Edge, it’s “Three Dots” –> Settings –> About Microsoft Edge. Other Chromium derivatives may vary in their update procedures.
On Linux, Chrome updates depend on your distribution. (Ubuntu rolls Chrome updates into the regular daily updates as long as you have the update manager configured properly.) On mobile devices, the apps should prompt you to update when an update is available.
The FreeType flaw, listed as CVE-2020-15999 and classified as “High” severity, was discovered by Google’s own Sergei Glazunov. Neither Bommana nor Glazunov gave details about who was exploiting this flaw, although Google is expected to post technical details on Oct. 26.
But because Glazunov posted code for a patch on a FreeType developers’ forum, it’s likely that other attackers will be able to figure out what’s wrong and craft their own exploits.
Four other security flaws are patched in Chrome 86.0.4240.111 for desktop ranging in severity from “High” to “Medium”.
Bommana did not mention Chrome on mobile devices, but our Android version of Chrome got an update to version 86.0.4240.110 this morning, which is probably related. Our Chromebook updated to version 85.0.4183.131, which sounds like it might be different.