Google fixes second actively exploited Chrome zero-day this month

Google has fixed a second actively exploited Chrome zero-day this month with the release of Chrome 89.0.4389.90 to the Stable desktop channel for Windows, Mac, and Linux users.

"Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild," the release announcement reads.

No details regarding ongoing attacks

The zero-day tracked as CVE-2021-21193 is rated by Google as a high severity vulnerability and was reported by an Anonymous researcher on Tuesday.

Google describes it as a use after free bug in Blink, an open-source browser rendering engine developed by the Chromium project with contributions from Google, Facebook, Microsoft, and others.

Successful exploitation of this zero-day could lead to arbitrary code execution on systems running vulnerable Chrome versions.

Even though Google says that it is aware of CVE-2021-21193 active exploitation, it did not share info regarding these ongoing attacks.

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said.

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed."

Until more information is available, Chrome users should have more time to install the security update rolling out over the coming days to prevent exploitation attempts.

The lack of additional info will also prevent other threat actors from developing their own exploits targeting this zero-day.

Third Chrome zero-day patched this year

Another zero-day bug (CVE-2021-21166) exploited in the wild and described as an "Object lifecycle issue in audio" was addressed with the release of Chrome 89.0.4389.72 that started rolling out on March 2nd.

One more actively exploited Chrome zero-day, a heap buffer overflow bug in V8 tracked as CVE-2021-21148 and rated as high severity, was fixed in February.

Last year, Google patched five additional Chrome zero-days within a single month, between October 20 and November 12, all of them also being actively used in attacks.

Today's Chrome release addresses four other vulnerabilities, two of them contributed by external researchers:

• [1167357] High CVE-2021-21191: Use after free in WebRTC. Reported by raven (@raid_akame) on 2021-01-15
• [1181387] High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-23