Google Fixes Zero Days, NAT Slipstream Attack, in Chrome | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

Google Fixes Zero Days, NAT Slipstream Attack, in Chrome

by Chris Brook on Tuesday November 17, 2020

Contact Us
Free Demo

Just days after fixing two zero day vulnerabilities, Google has rolled out yet another version of its Chrome browser, resolving a fix for last month's NAT Slipstream attack.

Administrators are cautioning users this week that if they haven't already, to apply recent updates to Google's Chrome browser in order to mitigate not one but two recent zero day vulnerabilities.

A version from last week, 86.0.4240.198 for Windows, Mac, and Linux, resolves CVE-2020-16013 and CVE-2020-16017 two bugs marked high severity by Google. The company warned at the time that exploits for the issues had also been spotted in the wild.

While Google pushed the Chrome stable channel update last Wednesday, the Department of Homeland Security’s Cybersecurity and Infrastructure Agency doubled down on those warnings, encouraging users to apply the necessary updates last Thursday.

It's the second time this month that Google has fixed two zero day vulnerabilities with a Chrome update. Earlier this month it fixed another bug in V8, CVE-2020-16009, along with a heap-based buffer overflow in Chrome for Android, CVE-2020-16010. Those bugs came after yet another bug, CVE-2020-15999, an actively exploited vulnerability in Freetype, was remedied.

It's unclear exactly what the most recent vulnerabilities could allow an attacker to carry out - all Google's update says is that CVE-2020-16013 stems from an inappropriate implementation in the V8 JavaScript engine and that CVE-2020-16017 is connected to a use after free in site isolation – CISA said an attacker could exploit one of these vulnerabilities to take control of an affected system, hinting at the severity of at least one of the bugs.

A Multi-State Information Sharing and Analysis Center (MS-ISAC) advisory on the bugs added that the most severe bug could let "an attacker to execute arbitrary code in the context of the browser." 

“Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights," the advisory reads.

As usual, Google is refraining from sharing more about the vulnerabilities until the majority of users have updated.

While 86.0.4240.198 fixes the vulnerabilities, it's not the latest version of the browser. As it usually does, Google released yet another version, Chrome 87, today that fixes even more issues, including the NAT Slipstream attack technique hacker Samy Kamkar disclosed last month on Halloween.

For those who missed it, the technique could allow an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim's NAT/firewall, just by getting a victim to visit a website.

Tags: Vulnerabilities

Recommended Resources

  • The seven trends that have made DLP hot again
  • How to determine the right approach for your organization
  • Making the business case to executives
  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.