Google Chrome Zero-Day Affects Windows and Mac Users
Google issued a warning of a zero-day vulnerability in its V8 open-source web engine that’s being actively exploited by hackers. A patch has been issued in version 88 of Google's Chrome browser for Windows, Mac and Linux. This update will roll out over the coming days and weeks according to Google. The flaw, CVE-2021-21148, stems from a heap-buffer overflow.
A heap-buffer overflow flaw is a class of vulnerability where the region of a process' memory used to store dynamic variables ( the heap ) can be overwhelmed. If a buffer-overflow occurs, it causes the affected program to behave incorrectly, causing memory access errors and crashes and can create an opening for remote code execution.
The heap-buffer overflow error exists in V8, which is an open-source WebAssembly and JavaScript engine used by Google Chrome and Chromium web browsers. V8, which is written in C++, can run stand-alone, or can be embedded into any C++ application. Bugs have previously been discovered and exploited in V8, including a flaw in November that was tied to active exploits.
Google didn't provide further details of the exploit. Researchers with Malwarebytes are assuming that the attack was used against security researchers working on vulnerability research and development at different companies and organizations. They pointed to when the vulnerability was reported to Google by Mattias Buelens on Jan. 24th and when the report was released by Google's Threat Analysis Group on Jan. 30th. Th report revealed that hackers linked to North Korea were targeting security researchers with an elaborate social-engineering campaign that set up trusted relationships with them and then infected their organizations' systems with custom backdoor malware.
Beyond classifying the flaw as a heap-buffer overflow, Google did not specify the potential impact of this vulnerability. In fact, details of the bug overall, including how it can be exploited, remain sparse while Google works to push out the fixes. Meanwhile, researchers are urging Google Chrome users to update as soon as possible. Chrome will, in many cases update to its newest version automatically, however experts suggest that users double check that this has happened. To check if an update is available, users can go to chrome://settings/help by clicking Settings -> About Chrome. If an update is available Chrome will notify users and then start the download process. Users can then relaunch the browser to complete the update.