Google has issued a patch for a zero-day vulnerability in a component for its Chrome web browser that is being actively exploited by attackers.
The technical lead for Google’s Project Zero security bughunting team Ben Hawkes warned that the vulnerability is being used to target Chrome, but provided no further details on the attacks.
The bug was reported by Project Zero security researcher Sergei Glazunov and subject to a seven-day disclosure deadline due to it being under active explotation.
It affects the open source FreeType rendering engine used in Chrome and can be exploited with specifically crafted fonts with embedded PNG images.
Width and height values obtained in the file header for a PNG image are truncated to 16 bits and used to calculate the resulting bitmap size, but a bug in a library causes a heap buffer overflow.
“The issue is that libpng uses the original 32-bit values, which are saved in `png_struct`. Therefore, if the original width and/or height are greater than 65535, the allocated buffer won’t be able to fit the bitmap,” Glazunov wrote in his bug report.
A font file with a proof of concept was published by Glazunov.
On top of the FreeType zero-day, Google also patched high severity flaws in Chrome’s Blink rendering engine, and three use-after-free memory corruption bugs in PDFium, and the browser’s media and printing functions.
The patched version of Chrome is 86.0.4240.11 for Windows, macOS and Linux distributions.
As the flaw exists in FreeType, other vendors that use the font rendering engine are advised to update it to the fixed version 2.10.4.