CVE-2020-15963 – This vulnerability in Google Chrome allows atta... (How to Fix)

Q: What is the severity of CVE-2020-15963?

CVE-2020-15963 has a CVSS score of 9.6 (CRITICAL). This vulnerability in Google Chrome allows attackers who convince users to install malicious extensions to potentially escape the browser's security sandbox. It affects Chrome versions prior to 85.0.4183.121. Users who install untrusted extensions are at risk.

📋 TL;DR

This vulnerability in Google Chrome allows attackers who convince users to install malicious extensions to potentially escape the browser's security sandbox. It affects Chrome versions prior to 85.0.4183.121. Users who install untrusted extensions are at risk.

💻 Affected Systems

Products:

Google Chrome

Versions: Versions prior to 85.0.4183.121

Operating Systems: Windows, macOS, Linux, Chrome OS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who install extensions; default Chrome installation without extensions is not vulnerable.

📦 What is this software?

Backports Sle by Opensuse

View all CVEs affecting Backports Sle →

Backports Sle by Opensuse

View all CVEs affecting Backports Sle →

Chrome by Google

Google Chrome is the world's most popular web browser, used by over 3 billion users globally across Windows, macOS, Linux, Android, and iOS platforms. As a Chromium-based browser developed by Google, Chrome dominates the browser market with approximately 65% market share, making it a critical compon...

Learn more about Chrome →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through sandbox escape, allowing arbitrary code execution at system level.

🟠

Likely Case

Malicious extension gains elevated privileges to access sensitive data or system resources.

🟢

If Mitigated

Limited to extension permissions if sandbox escape fails or proper controls prevent installation.

🌐 Internet-Facing: HIGH - Attackers can host malicious extensions online and trick users into installing them.

🏢 Internal Only: MEDIUM - Requires user interaction to install malicious extension, but internal phishing could facilitate.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires user to install malicious extension; sandbox escape via crafted extension is non-trivial.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 85.0.4183.121

Vendor Advisory: https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html

Restart Required: Yes

Instructions:

1. Open Chrome. 2. Click three-dot menu → Help → About Google Chrome. 3. Chrome will check for updates and install version 85.0.4183.121 or later. 4. Click Relaunch to restart Chrome.

🔧 Temporary Workarounds

Disable extension installation

all

Prevent users from installing extensions to block attack vector.

chrome://settings/extensions → Toggle 'Allow extensions from other stores' to OFF
Use Group Policy to restrict extension installation

Restrict extension sources

all

Only allow extensions from Chrome Web Store.

chrome://flags/#extensions-on-chrome-urls → Disabled
Configure enterprise policies to restrict sources

🧯 If You Can't Patch

Disable or remove all non-essential extensions.
Implement application whitelisting to block malicious extensions.

🔍 How to Verify

Check if Vulnerable:

Check Chrome version: if below 85.0.4183.121 and extensions are installed, system is vulnerable.

Check Version:

On Chrome: chrome://version/ or Command Line: google-chrome --version

Verify Fix Applied:

Confirm Chrome version is 85.0.4183.121 or later via About Google Chrome page.

📡 Detection & Monitoring

Log Indicators:

Unusual extension installation events
Chrome crash reports with extension-related errors

Network Indicators:

Downloads of extension files (.crx) from untrusted sources

SIEM Query:

source="chrome" AND (event="extension_install" OR event="crash") AND version<"85.0.4183.121"

📊 Metadata

CVE ID: CVE-2020-15963

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Published: September 21, 2020

Last Updated: November 21, 2024

🔗 References

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00087.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00095.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00096.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00049.html Mailing List,Third Party Advisory
https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html Release Notes,Vendor Advisory
https://crbug.com/1113558 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FN7HZIGAOCZKBT4LV363BCPRA5FLY25I/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNIYFJST4TFJYFZ27VODBOINCLBGULTD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWNBJFBPKYCYSZTS54FHNCRZG6KC2AIJ/
https://security.gentoo.org/glsa/202009-13 Third Party Advisory
https://security.gentoo.org/glsa/202101-30 Third Party Advisory
https://www.debian.org/security/2021/dsa-4824 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00087.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00095.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00096.html Mailing List,Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00049.html Mailing List,Third Party Advisory
https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html Release Notes,Vendor Advisory
https://crbug.com/1113558 Exploit,Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FN7HZIGAOCZKBT4LV363BCPRA5FLY25I/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNIYFJST4TFJYFZ27VODBOINCLBGULTD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YWNBJFBPKYCYSZTS54FHNCRZG6KC2AIJ/
https://security.gentoo.org/glsa/202009-13 Third Party Advisory
https://security.gentoo.org/glsa/202101-30 Third Party Advisory
https://www.debian.org/security/2021/dsa-4824 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Backports Sle by Opensuse

Backports Sle by Opensuse

Chrome by Google

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Leap by Opensuse

Leap by Opensuse

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable extension installation

Restrict extension sources

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export