Dear Google Chrome users: there is a security flaw that is currently being used in active attacks

The flaw is in the FreeType font library underlying Chrome and all Chromium-based browsers, including Brave, the new Microsoft Edge, Opera, Vivaldi, and many others

There is a mistake in the way the FreeType library handles image sizes, causing a memory buffer overflow that could allow hackers or malicious websites to execute malicious code and take over the browser

"The stable channel has been updated to 8604240111 for Windows, Mac and Linux and will be rolled out over the next few days/weeks," Google Technical Program Manger Prudhvikumar Bommana wrote on the official Chrome blog on Tuesday (October 20)

Since the flaw is in Chrome's open source foundation, Chromium, other Chromium-based browsers will also need to be updated As of this writing on October 21, no updates have been found for Brave and Edge

To manually update Chrome on Windows and macOS, in most cases restarting the browser will automatically install the update, if available (If not, click on the three dots in the upper right corner of the browser window, move the pop-up window down to "Help" and click on "About Google Chrome" A new tab will open and the update will begin, if available

The update procedure is the same for Brave; for Edge, go to "Three Dots" > "Settings" > "About Microsoft Edge" Other Chromium-derived browsers may have different update procedures

On Linux, updating Chrome depends on the distribution (On Ubuntu, Chrome updates are incorporated into regular daily updates as long as the update manager is properly configured) On mobile devices, the app will prompt for updates when they become available

The FreeType flaw, listed as CVE-2020-15999 and classified as "high" severity, was discovered by Google's own Sergei Glazunov Neither Bommana nor Glazunov have disclosed details about who is exploiting the flaw, but Google plans to release technical details on October 26

However, since Glazunov posted the code for the patch on the FreeType developers' forum, it is likely that other attackers will figure out what the problem is and create their own exploits

The desktop version of Chrome 8604240111 patches four other security flaws

Bommana did not mention Chrome on mobile devices, but our Chrome for Android was updated to version 8604240110 this morning Our Chromebook updated to version 8504183131, which seems to be potentially different