Google rushes out fix for zero‑day vulnerability in Chrome
The update patches a total of seven security flaws
in the desktop versions of the popular web browser
Google has released an
update for its Chrome web browser that fixes a range of security flaws,
including a zero-day vulnerability that is known to be actively exploited by
malicious actors. The bugs affect the Windows, macOS, and Linux versions of the
popular browser.
“Google is aware of reports
that exploits for CVE-2021-21224 exist in the wild,” said Google about the newly disclosed zero-day vulnerability that stems from a type confusion bug in the
V8 JavaScript engine that is used in Chrome and other Chromium-based web
browsers.
Beyond the zero-day flaw,
the new release fixes six other security loopholes, with Google specifically
listing four high-severity vulnerabilities where fixes were contributed by
external researchers. The first, indexed as CVE-2021-21222, also affects the V8 engine, however this time it
is a heap buffer-overflow bug.
The second flaw, tracked
as CVE-2021-21225, also resides in the V8 component and
manifests as an out-of-bounds memory access bug. As for CVE-2021-21223, it is found to affect Mojo as an integer overflow bug. The fourth
high-severity vulnerability, labeled CVE-2021-21226, is a use-after-free flaw found in Chrome’s
navigation.
READ
NEXT: Google: Better patching could have
prevented 1 in 4 zero‑days last year
“Successful exploitation of
the most severe of these vulnerabilities could allow an attacker to execute
arbitrary code in the context of the browser. Depending on the privileges
associated with the application, an attacker could view, change, or delete data,” warned the Center for Internet
Security.
As is common with such
releases, the tech titan has not disclosed any further details about the
security loopholes until most users have had a chance to update their web
browsers to the newest available version, mitigating the chance of the
vulnerabilities being exploited by threat actors.
The Government Computer
Emergency Response Team Hong Kong (GovCERT.HK) issued a security alert advising users and system administrators to update their browsers.
“Users of affected systems should update the Google Chrome to version
90.0.4430.85 to address the issue,” said the agency.
Considering the disclosed
vulnerabilities, users would do well to update their browsers to the latest
version (90.0.4430.85) as soon as practicable. If you have automatic updates
enabled, your browser should update by itself. You can also manually update
your browser by visiting the About Google Chrome section, which can be found
under Help in the menu bar.