Google: 11 zero-day “In the Wild” in the first half of 2020

Google Project Zero Team released 11 zero-day vulnerabilities  in their report for the first half of 2020

The complete details about these zero-days have been obtained from a Google Spreadsheet managed by Google security researchers, which the company made public available earlier this year. The spreadsheet contains Google’s internal statistics about in-the-wild zero-day usage going as far back as 2014, when the company began tracking said stats.

1. • CVE-2019-17026
   • Mozilla
   • Firefox
   • Memory Corruption
   • Type confusion in IonMonkey JIT compiler
   • ???
   • 2020-01-08
   • https://www.mozilla.org/en-US/security/advisories/mfsa2020-03/
   • Dark Hotel
   • https://blogs.360.cn/post/apt-c-06_0day.html
   • Qihoo 360 ATA
2. • CVE-2020-0674
   • Microsoft
   • Internet Explorer
   • Memory Corruption
   • Unspecified memory corruption in Internet Explorer
   • 2020-02-11
   • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0674
   • https://blogs.360.cn/post/apt-c-06_0day.html
   • Dark Hotel
   • https://blogs.360.cn/post/apt-c-06_0day.html
   • “Yi Huang(@C0rk1_H) & Kang Yang(@dnpushme) of Qihoo 360 ATA
   • Clément Lecigne of Google’s Threat Analysis Group”
3. • CVE-2020-6418
   • Google
   • Chrome
   • Memory Corruption
   • Type confusion in v8
   • 2020-02-24
   • https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html
   • Clement Lecigne of Google’s Threat Analysis Group
4. • CVE-2020-8467
   • TrendMicro
   • Apex One/OfficeScan
   • Unspecified
   • Unspecified vulnerability in a migration tool component
   • 2020-03-16
   • https://success.trendmicro.com/solution/000245571
   • Trend Micro Research
5. • CVE-2020-8468
   • TrendMicro
   • Apex One/OfficeScan
   • Logic/Design Flaw
   • Content validation escape in agent client component
   • ???
   • 2020-03-16
   • https://success.trendmicro.com/solution/000245571
   • Trend Micro Research
6. • CVE-2020-6819
   • Mozilla
   • Firefox
   • Memory Corruption
   • Use-after-free while running the nsDocShell destructor
   • 2020-04-03
   • https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
   • Francisco Alonso @revskills working with Javier Marcos of @JMPSec
7. • CVE-2020-6820
   • Mozilla
   • Firefox
   • Memory Corruption
   • Use-after-free when handling a ReadableStream
   • 2020-04-03
   • https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
   • Francisco Alonso @revskills working with Javier Marcos of @JMPSec
8. • CVE-2020-0938
   • Microsoft
   • Windows
   • Memory Corruption
   • Unspecified memory corruption in Adobe Type 1 PostScript format
   • 2020-04-14
   • https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-0938
   • Liubenjin and Zhiyi Zhang from Codesafe Team of Legendsec at Qi’anxin Group
9. • CVE-2020-1020
   • Microsoft
   • Windows
   • Memory Corruption
   • Unspecified memory corruption in Adobe Type 1 PostScript format
   • 2020-04-14
   • https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1020
   • Google Project Zero & Google’s Threat Analysis Group
10. • CVE-2020-1027
    • Microsoft
    • Windows
    • Memory Corruption
    • Unspecified memory corruption in Windows Kernel
    • 2020-03-23
    • 2020-04-14
    • https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1027
    • Google Project Zero & Google’s Threat Analysis Group
11. • CVE 2020-12271
    • Sophos
    • XG Firewall
    • Logic/Design Flaw
    • SQL injection in admin interface/user portal
    • 2020-04-22
    • 2020-04-25
    • https://community.sophos.com/kb/en-us/135412
    • https://news.sophos.com/en-us/2020/04/26/asnarok/