Google Fixes Zero Days, NAT Slipstream Attack, in Chrome

Google Fixes Zero Days, NAT Slipstream Attack, in Chrome

Just days after fixing two zero day vulnerabilities, Google has rolled out yet another version of its Chrome browser, resolving a fix for last month’s NAT Slipstream attack.


Administrators are cautioning users this week that if they haven’t already, to apply recent updates to Google’s Chrome browser in order to mitigate not one but two recent zero day vulnerabilities.


A version from last week, 86.0.4240.198 for Windows, Mac, and Linux, resolves CVE-2020-16013 and CVE-2020-16017 two bugs marked high severity by Google. The company warned at the time that exploits for the issues had also been spotted in the wild.


While Google pushed the Chrome stable channel update last Wednesday, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency doubled down on those warnings, encouraging users to apply the necessary updates last Thursday.


It’s the second time this month that Google has fixed two zero day vulnerabilities with a Chrome update. Earlier this month it fixed another bug in V8, CVE-2020-16009, along with a heap-based buffer overflow in Chrome for Android, CVE-2020-16010. Those bugs came after yet another bug, CVE-2020-15999, an actively exploited vulnerability in Freetype, was remedied.


It’s unclear exactly what the most recent vulnerabilities could allow an attacker to carry out – all Google’s update says is that CVE-2020-16013 stems from an inappropriate implementation in the V8 JavaScript engine and that CVE-2020-16017 is connected to a use after free in site isolation – CISA said an attacker could exploit one of these vulnerabilities to take control of an affected system, hinting at the severity of at least one of the bugs.


A Multi-State Information Sharing and Analysis Center (MS-ISAC) advisory on the bugs added that the most severe bug could let “an attacker to execute arbitrary code in the context of the browser.”


“Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights,” the advisory reads.


As usual, Google is refraining from sharing more about the vulnerabilities until the majority of users have updated.


While 86.0.4240.198 fixes the vulnerabilities, it’s not the latest version of the browser. As it usually does, Google released yet another version, Chrome 87, today that fixes even more issues, including the NAT Slipstream attack technique hacker Samy Kamkar disclosed last month on Halloween.


For those who missed it, the technique could allow an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim’s NAT/firewall, just by getting a victim to visit a website.


Full article attribution is made to its original source and author.