Google has addressed an actively exploited zero-day security vulnerability in the Chrome 88.0.4324.150 version released today, February 4th, 2020, to the Stable desktop channel for Windows, Mac, and Linux users.
"Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild," the Google Chrome 88.0.4324.150 announcement reads.
This version is rolling out to the entire userbase during the next days/weeks. Windows, Mac, and Linux desktop users can upgrade to Chrome 88 by going to Settings -> Help -> About Google Chrome.
The Google Chrome web browser will then automatically check for the new update and install it when available.
V8 vulnerability under active exploitation
The vulnerability rated by Google as high severity is being tracked as CVE-2021-21148 and was reported by Mattias Buelens on January 24th, 2021.
Microsoft disclosed on January 28th that a North Korean government-backed hacking group tracked as ZINC 'likely' used a Chrome browser exploit chain (with zero-day or patch gap exploits) to target vulnerability researchers.
The zero-day is described as a heap buffer overflow bug in V8, Google's open-source and C++ based high-performance WebAssembly and JavaScript engine.
While buffer overflows generally lead to crashes, they can also be exploited by attackers to execute arbitrary code on systems running vulnerable software.
No details on attacks exploiting the zero-day
Even though Google says that it "is aware of reports that an exploit for CVE-2020-16009 exists in the wild," the company did not provide any details regarding the threat actors behind these attacks.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google adds.
"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed."
This should provide Chrome users with additional time to install the security update released today and to prevent attackers from creating other exploits targeting this zero-day bug.
Last year, Google fixed five Chrome zero-days actively exploited in the wild, all within a single month, between October 20 and November 12.
Comments
redwolfe_98 - 3 years ago
i noticed that i was frequently having webpages crash, with an error-code saying "illegal instruction." hopefully the update resolves that problem, and hopefully my computer wasn't compromised.
doriel - 3 years ago
Does this somehow affect my webpages?
I run PHP and JS on my pages, should I "patch" them somehow or is it related only to outdated webbrowsers?
serghei - 3 years ago
No, only impacts users of unpatched Chrome versions.