Google has released a security update for the Chrome web browser that corrects ten security flaws, including one vulnerability that is currently being actively exploited, along with addressing nine other security flaws.
Google’s Threat Analysis Group (TAG), a security team in the search giant tasked with tracking threat actors and their ongoing operations, identified the vulnerability as (CVE-2020-16009).
Google has not announced the details of the vulnerability and the group that exploits it, as a way to allow more time for Chrome users to install updates, and to prevent other actors from developing a new exploitation of the same vulnerability.
The company advises users to update their browser to version (86.0.4240.183) for Windows, Mac and Linux operating systems.
Google says: It is aware of reports of exploitation of the vulnerability (CVE-2020-16009), but did not provide any details regarding the actors behind these attacks.
She added: Access to bug details and links is restricted until the majority of users update their browsers, and we also keep restrictions in case the bug is in a third-party library on which other projects depend, and it has not yet been fixed.
This is the second vulnerability exploited within Chrome that Google finds during the past two weeks.
On October 20, the company released a browser security update to correct the vulnerability in Chrome’s Font View Library (FreeType) (CVE-2020-15999).
Google also revealed last week that this vulnerability was used in conjunction with a Windows operating system vulnerability named (CVE-2020-17087).
The Chrome vulnerability was used to execute malicious code inside the browser, while the Windows operating system exploit was used to increase code privileges and attack the basic Windows operating system.
Microsoft is expected to correct this vulnerability on November 10, with the company’s upcoming correction.
Aside from the ten security fixes for the desktop version of Chrome, Google has also addressed a separate vulnerability in Chrome for Android that was being exploited with the name (CVE-2020-16010).