Google fixes Chrome zero-day actively exploited in the wild

[mood]

Google fixes Chrome zero-day actively exploited in the wild

 

 

Google has addressed an actively exploited zero-day security vulnerability in the Chrome 88.0.4324.150 version released today, February 4th, 2020, to the Stable desktop channel for Windows, Mac, and Linux users.

"Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild," the Google Chrome 88.0.4324.150 announcement reads.

 

This version is rolling out to the entire userbase during the next days/weeks. Windows, Mac, and Linux desktop users can upgrade to Chrome 88 by going to Settings -> Help -> About Google Chrome.

 

The Google Chrome web browser will then automatically check for the new update and install it when available.

 

 

V8 vulnerability under active exploitation

The vulnerability rated by Google as high severity is being tracked as CVE-2021-21148 and was reported by Mattias Buelens on January 24th, 2021.

 

The zero-day is described as a heap buffer overflow bug in V8, Google's open-source and C++ based high-performance WebAssembly and JavaScript engine.

 

While buffer overflows generally lead to crashes, they can also be exploited by attackers to execute arbitrary code on systems running vulnerable software.

 

While Google says that it "is aware of reports that an exploit for CVE-2020-16009 exists in the wild," the company did not provide any details regarding the threat actors behind these attacks.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google adds.

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed."

 

This should provide Chrome users with additional time to install the security update released today and to prevent attackers from creating other exploits targeting this zero-day bug.

 

Last year, Google fixed five Chrome zero-days actively exploited in the wild, all within a single month, between October 20 and November 12.

 

 

Source: Google fixes Chrome zero-day actively exploited in the wild

[aum]

 

Google has patched a zero-day vulnerability in Chrome web browser for desktop that it says is being actively exploited in the wild.

 

The company released 88.0.4324.150 for Windows, Mac, and Linux, with a fix for a heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.

 

"Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild," the company said in a statement.

The security flaw was reported to Google by Mattias Buelens on January 24.

 

Previously on February 2, Google addressed six issues in Chrome, including one critical use after free vulnerability in Payments (CVE-2021-21142) and four high severity issues in Extensions, Tab Groups, Fonts, and Navigation features.

 

While it's typical of Google to limit details of the vulnerability until a majority of users are updated with the fix, the development comes weeks after Google and Microsoft disclosed attacks carried out by North Korean hackers against security researchers with an elaborate social engineering campaign to install a Windows backdoor.

 

With some researchers infected simply by visiting a fake research blog on fully patched systems running Windows 10 and Chrome browser, Microsoft, in a report published on January 28, had hinted that the attackers likely leveraged a Chrome zero-day to compromise the systems.

 

Although it's not immediately clear if CVE-2021-21148 was used in these attacks, the timing of the revelations and the fact that Google's advisory came out exactly one day after Buelens reported the issue implies they could be related.

 

In a separate technical write-up, South Korean cybersecurity firm ENKI said the North Korean state-sponsored hacking group known as Lazarus made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer.

 

"The secondary payload contains the attack code that attacks the vulnerability of the Internet Explorer browser," ENKI researchers said.

 

It's worth noting that Google last year fixed five Chrome zero-days that were actively exploited in the wild in a span of one month between October 20 and November 12.

 

Source

[Karlston]

Similar topic merged.