V8 Type Confusion Vulnerability (CVE-2020-6418) Threat Alert

V8 Type Confusion Vulnerability (CVE-2020-6418) Threat Alert

March 24, 2020 | Mina Hao

Vulnerability Description

On February 25, security updates were released for Google Chrome and Microsoft Edge. The open-source JavaScript and WebAssembly engines in V8 in Google Chrome before 80.0.3987.122 and Microsoft Edge browser before 80.0.361.62 are prone to a type confusion vulnerability (CVE-2020-6418), which allows attackers to access data in an unauthorized way, thereby executing malicious code. According to researchers, this vulnerability has been exploited for attacks before security updates were released. Currently, details have been made public available. Users of Google Chrome and Microsoft Edge browsers adopting V8 are advised to install the updates as soon as possible.

Reference links:

https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html

https://docs.microsoft.com/zh-cn/deployedge/microsoft-edge-relnotes-security

Scope of Impact

Affected Versions

  • Google Chrome < 80.0.3987.122
  • Microsoft Edge < 80.0.361.62

Unaffected Versions

  • Google Chrome >= 80.0.3987.122
  • Microsoft Edge = 80.0.361.62

Mitigation

Official Fix

Currently, both Google and Microsoft have released a new version to fix the preceding vulnerability. Affected users are advised to upgrade as soon as possible.

To upgrade the Google Chrome browser, follow these steps:

(1) In the Chrome browser, click  in the upper-right corner and then choose Help > About Google Chrome.

(2) Check the current browser version.
If the version is earlier than 80.0.3987.122, your browser is vulnerable.

(3) After you open the About Chrome page, the system automatically upgrades the browser. If automatic update does not start or the update fails, refresh the page.

(4) If the update problem persists, visit the Google Chrome website (https://www.google.cn/intl/zh-CN/chrome) and then download and install the latest version of Google Chrome.

To upgrade the Microsoft Edge browser, follow these steps:

Users can enable the Microsoft Update service of the Windows system for automatic update and patch installation.

Note: Patch installation failure may occur due to network or computer environment issues. Therefore, users are advised to check whether the patch is successfully installed immediately after installation.

Right-click  and then choose Settings(N) > Update & Security > Windows Update to view the information displayed. Alternatively, you can click View Historical Update to view historical updates.

If the update fails, visit the Microsoft website (https://www.microsoft.com/en-us/edge) and then download and install the latest version of Microsoft Edge.

Workarounds

For users who cannot install updates temporarily, they are advised to use unaffected browsers (such as Firefox and Internet Explorer browsers) instead of Google Chrome and Microsoft Edge browsers. Also, they are advised not to open any suspicious and strange websites or click links contained in untrusted emails.

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

http://www.nsfocusglobal.com.

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.