Google launched a new update concerning the Chrome web browser for Windows, Mac, and Linux on Tuesday. The release contains security fixes for several flaws, one of which has reportedly been exploited in the wild.
The latter is a vulnerability tracked as CVE-2021-21224 that is related to a flaw in V8 open-source JavaScript engine which has been reported to Google on April 5th. As explained, the exploited bug is activated during an integer data type conversion and allows for arbitrary memory read/write primitive.
The Technical Program Manager for Chrome, Srinivas Sista, said in a blog post that Google knows of reports where CVE-2021-21224 is exploited in the wild.
The release of the fix follows a Proof-of-Concept (PoC) code exploitation published on 14th of April on Twitter, where to abuse the vulnerability, a researcher named “frust” has taken advantage of the fact that a patch was not integrated into the Chromium codebase, even though the issue was addressed in the V8 source code.
It took one week for the patch to be integrated into the open-source code repository as a stable update, and during this time, all Chromium-based browsers, such as Chrome, Edge, Opera, and Brave, were at risk of being attacked.
It should be noted that after Google cut down the gap between patches to 15 days in Chrome 78, security fixes are now released every two weeks. Last week the company released patches for two more vulnerabilities, tracked as CVE-2021-21206 and CVE-2021-21220.
In the next few days, a Chrome 90.0.4430.85 update is expected to be launched. The latest version is available by clicking on Settings > Help > About Google Chrome where users can get the patches for the recently fixed flaws. A full list of the changes can be found on the Chromium log.
Leave a Comment