eSentire White Logo

Security advisories | Oct 22, 2020

FreeType Remote Code Execution in Multiple Products (CVE-2020-15999)

THE THREAT

On October 20th, 2020, a remote code execution vulnerability (CVE-2020-15999) in the FreeType open-source font library was publicly disclosed [1]. The FreeType library is widely used in a variety of applications, including Google Chrome [2] and Microsoft Edge [3] browsers. If exploited, CVE-2020-15999 allows for Remote Code Execution (RCE) or Denial of Service (DoS) on vulnerable machines. Attacks in the wild have been reported against vulnerable Google Chrome browsers.

Organizations are strongly advised to apply relevant security patches imminently.

What we’re doing about it

  • MVS has local plugins to identify affected versions of software impacted by this vulnerability
    • At present this includes Google Chrome
  • eSentire security teams continue to track this topic for additional details and detection opportunities

What you should do about it

  • Update Google Chrome to version 86.0.4240.111
  • Update Microsoft Edge to version 86.0.622.51
  • Organizations making use of the FreeType library in their own software products should update to FreeType 2.10.4 [4]
  • After performing a business impact review, apply official security patches from vendors as they become available

Additional information

In an attack scenario, threat actors would need to convince a victim to interact with a specially crafted font file. Reports of threat actors exploiting CVE-2020-1599 against vulnerable versions of Chrome have been identified. It is not clear if other vulnerable applications have been targeted at this time. Confirmed vulnerable web-browsers should be prioritized for patching as they have a higher likelihood of being exposed to untrusted code.

CVE-2020-15999 is classified as a Heap-based Buffer Overflow vulnerability in the open-source FreeType library. The FreeType library is incorporated into a wide variety of software, meaning multiple programs and operating systems other than Chrome are likely affected. Additional vendor updates are expected in the near future.

Confirmed Vulnerable:

  • Chrome prior to version 86.0.4240.111
  • Microsoft Edge prior to 86.0.622.51 [3]
  • FreeType Library prior to version 2.10.4 [4]

References:

[1] https://www.cybersecurity-help.cz/vdb/SB2020102038

[2] https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html

[3] https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200002

[4] https://sourceforge.net/projects/freetype/files/freetype2/2.10.4/