Google is moving to patch a serious zero-day vulnerability in Google Chrome that, if exploited, could allow arbitrary code to run on a target system.
Assigned CVE-2021-21148, the bug is described as a stack buffer overflow that exists in Chrome’s V8 component, prior to version 88.0.4234.150. It was initially reported on January 24, 2021, according to Google, that it believes that an exploit may already exist in the wild.
No further details of the issue have been provided at the time of writing, and there have been no reports of a compromise through the vulnerability. However, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) has recommended that users update to version 88.0.4324.146 for Windows, Mac, and Linux as soon as possible.
Cybersmart CEO and co-founder Jamie Akhtar said that given the severity and scope of the vulnerability, Chrome users could become a prime target.
“As usual, hackers around the world, both the nation-state and criminals, are rapidly exploiting critical vulnerabilities in the wild,” he said.
“On the bright side, a security benefit of using Chrome or a modern browser is the automatic update functionality; this has affected many legacy applications ”.
“This is based on the security-by-design principle where Chrome updates itself while in use, requiring the user to just restart their browser,” Akhtar said.
ProPrivacy researcher Aaron Drapkin said: “Google Chrome’s admission that a zero-day exploit exists in the wild should be of concern to everyone who uses the browser.
“We are talking about a vulnerability that hackers are actively exploiting while remaining elusive for Google at the same time. They can only fight back when they find out what this is, which will mark day zero of mitigation, ”he said.
“Zero-day exploits are not uncommon and can be expected in a browser that so many people use, but for this particular vulnerability, zero-day has yet to occur. This means that it is paramount to ensure that your Chrome browser is running the latest software available. Updating your browser with a patch is the best and the only thing you can do. “
There has already been some unconfirmed speculation that zero-day may be somehow related to a series of cyberattacks against genuine security researchers, perpetrated by malicious actors backed by the North Korean government.
This campaign, which was revealed by Google in January 2021, saw its victims deceived by social media accounts of sock puppets and other social engineering techniques.
The compromised systems were running fully patched versions, at the time, of Microsoft Windows 10 and Chrome.