Home News Google fixes second actively exploited Chrome zero-day this month

    Google fixes second actively exploited Chrome zero-day this month


    Google fixes second actively exploited Chrome zero-day this month

    Google has fastened a second actively exploited Chrome zero-day this month with the discharge of Chrome 89.0.4389.90 to the Steady desktop channel for Home windows, Mac, and Linux customers.

    “Google is conscious of stories that an exploit for CVE-2021-21193 exists within the wild,” the discharge announcement reads.

    No particulars concerning ongoing assaults

    The zero-day tracked as CVE-2021-21193 is rated by Google as a excessive severity vulnerability and was reported by an Nameless researcher on Tuesday.

    Google describes it as a use after free bug in Blink, an open-source browser rendering engine developed by the Chromium venture with contributions from Google, Fb, Microsoft, and others.

    Profitable exploitation of this zero-day might result in arbitrary code execution on techniques working susceptible Chrome variations.

    Despite the fact that Google says that it’s conscious of CVE-2021-21193 energetic exploitation, it did not share information concerning these ongoing assaults.

    “Entry to bug particulars and hyperlinks could also be saved restricted till a majority of customers are up to date with a repair,” Google stated.

    “We can even retain restrictions if the bug exists in a 3rd occasion library that different initiatives equally rely on, however haven’t but fastened.”

    Till extra info is out there, Chrome customers ought to have extra time to put in the safety replace rolling out over the approaching days to forestall exploitation makes an attempt.

    The shortage of additional information can even forestall different menace actors from creating their very own exploits concentrating on this zero-day.

    Third Chrome zero-day patched this yr

    One other zero-day bug (CVE-2021-21166) exploited within the wild and described as an “Object lifecycle difficulty in audio” was addressed with the discharge of Chrome 89.0.4389.72 that began rolling out on March 2nd.

    One more actively exploited Chrome zero-day, a heap buffer overflow bug in V8 tracked as CVE-2021-2114 and rated as excessive severity, was fastened in February.

    Final yr, Google patched five additional Chrome zero-days inside a single month, between October 20 and November 12, all of them additionally being actively utilized in assaults.

    Right now’s Chrome launch addresses 4 different vulnerabilities, two of them contributed by exterior researchers:

    • [1167357] Excessive CVE-2021-21191: Use after free in WebRTC. Reported by raven (@raid_akame) on 2021-01-15
    • [1181387] Excessive CVE-2021-21192: Heap buffer overflow in tab teams. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Analysis on 2021-02-23

    Source link