Google fixes Chrome zero‑day bug exploited in the wild

The latest update patches a total of five vulnerabilities affecting the browser’s desktop versions

The latest update patches a total of five vulnerabilities affecting the browser’s desktop versions

Google has rolled out an update for its Chrome web browser that fixes five security flaws, including a zero-day vulnerability that is known to be actively exploited by malicious actors. The bugs affect the Windows, macOS, and Linux versions of the popular browser.

“Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild,” said Google about the newly disclosed zero-day vulnerability that stems from a use-after-free flaw in Blink, a browser rendering engine developed as part of Chromium.

According to Vulmon, a remote attacker could exploit the high-severity vulnerability by tricking an unsuspecting victim into visiting a specially crafted website, after which they could execute arbitrary code or even cause a denial-of-service attack on the vulnerable system.

Beyond the zero-day flaw, the update also fixes four other security loopholes, with Google specifically listing two high-severity bugs where fixes were contributed by external researchers. The first, tracked as CVE-2021-21191, is another use-after-free vulnerability, but this time it affects WebRTC, a Chrome component that allows audio and video communication to work on websites. Meanwhile, the second flaw, indexed as CVE-2021-21192, is a heap buffer-overflow bug in tab groups, a feature that was introduced as part of the Chrome 85 release.

RELATED READING: Google: Better patching could have prevented 1 in 4 zero‑days last year

As is common with such releases, the tech giant has not disclosed any further details about the security loopholes until most users have had a chance to update their web browsers to the newest available version, mitigating the chance of the vulnerabilities being exploited by cybercriminals.

The United States’ Cybersecurity and Infrastructure Security Agency (CISA) also took note of the release and issued a security advisory urging both users and system administrators to update their browsers. “Google has released Chrome version 89.0.4389.90 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system,” said the agency.

Considering the disclosed vulnerabilities, you would do well to update your browser to the latest version (89.0.4389.90) as soon as practicable. If you have automatic updates enabled, the browser should manage to update to the newest version by itself. However, you can also update your browser manually by visiting the About Google Chrome section, which can be found under Help in the menu bar.

Newsletter

Discussion