Google has issued an urgent update for Chrome which patches a zero-day vulnerability under active exploitation. The Chrome team took just one day from report of the vulnerability to issuing the patch, such is the danger posed by this flaw.
The patch is included in Chrome version v86.0.4240.111 (CVE-2020-15999) – any older versions should be updated promptly.
The interesting thing about this vulnerability, is that it is not in Chrome itself but rather the open source FreeType library which is used for font rendering in Chrome and almost every non-Windows system you can think of (include iOS, Android, ChromeOS and Linux – about a billion devices) – so expect to see patches for all those platforms as well. The bug in FreeType is fixed in version 2.10.4 released last week. Details of the bug can be found here.
This is an example of a software supply chain vulnerability – one of the risks posed by embedding third party libraries into your internal software development projects. Using well proven third party software is usually more secure than cutting new code and having to test it yourself (especially true with anything crypto or security related). However, a robust process is needed to monitor all the third party libraries to ensure that any disclosed vulnerabilities are promptly patched into your environment.