Google patches Chrome zero-day vulnerability exploited in the wild

Google patches Chrome zero-day vulnerability exploited in the wild

Google has released today Stable version 88.0.4324.150 of the Chrome browser for Windows, Mac, and Linux. Today’s release contains only one bug fix for a Chrome zero-day vulnerability that was exploited in the wild.

“Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” the Google Chrome 88.0.4324.150 announcement reads.

The zero-day, which was assigned the identifier of CVE-2021-21148, was described as a “heap overflow” memory corruption bug in the V8 JavaScript engine.

The vulnerability rated by Google as high severity is being tracked as CVE-2021-21148 and was reported by Mattias Buelens on January 24, 2021.

Two days after Buelens’ report, Google’s security team published a story about attacks carried out by North Korean hackers against the cyber-security community.

While buffer overflows generally lead to crashes, attackers can also be exploited to execute arbitrary code on systems running vulnerable software.

In a report on January 28, Microsoft said that attackers most likely used a Chrome zero-day for their attacks. In a statement published today, a South Korean security firm said they discovered an Internet Explorer zero-day used for these attacks.

No details on attacks exploiting the zero-day

Google did not say today if the CVE-2021-21148 zero-day was used in these attacks, although many security researchers believe it was so due to the two events’ proximity.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google adds.”We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

Before today’s patches, Google went through a spell last year where it patched five actively-exploited Chrome zero-days in three weeks.

Leave a Reply

Your email address will not be published.