Google warns of a zero-day vulnerability in the V8 open-source engine that is being actively exploited by attackers.
A patch has now been issued in version 88 of Google’s Chrome browser — specifically, version 88.0.4324.150 for Windows, Mac & Linux. This update will roll out over the coming days & weeks, explained Google. The defect (CVE-2021-21148) stems from a heap-buffer overflow, observed Google.
“Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” according to Google’s Thursday security update.
Heap-Buffer Overflow
A heap-buffer overflow flaw as its name suggests, is a type of buffer-overflow error. This is a class of vulnerability where the region of a process’ memory used to store dynamic variables (the heap) can be overwhelmed.
If a buffer-overflow occurs, it typically causes the affected program to behave incorrectly, according to researchers with Imperva – causing memory access errors and crashes — and opening the door to remote code execution.
Details Remain Scant
However, beyond classifying the flaw as a heap-buffer overflow, Google did not specify the potential impact of this vulnerability. In fact, details of the bug overall (including how it can be exploited) remain scant while Google works to push out the fixes.
“Access to bug details & links may be kept restricted until a majority of users are updated with a fix,” commented Google. “We will also retain restrictions if the bug exists in a 3rd-party library that other projects similarly depend on but haven’t yet fixed.”
V8 JavaScript Engine
The heap-buffer overflow error exists in V8, an open-source Web Assembly & JavaScript engine developed by the Chromium Project for Google Chrome & Chromium web browsers. V8, which is written in C++, can run stand-alone, or can be embedded into any C++ application.
Bugs have previously been found & exploited in V8, including a flaw in Nov. that was high severity & tied to active exploits. That flaw was only described as an “inappropriate implementation in V8.”
Security Researchers: Targets?
Google did not provide further details of the attackers exploiting the flaw, but researchers with Malwarebytes on Fri. made a “general assumption” that the attack “was used against security researchers working on vulnerability research & development at different companies & organisations.”
They pointed to the timing of when the vulnerability was reported to Google by Mattias Buelens (Jan. 24) and when a report released by Google’s Threat Analysis Group (Jan. 26).
That report by Google researchers revealed that hackers linked to N. Korea were targeting security researchers with a complex social-engineering campaign that set up trusted relationships with them, then infected their organisations’ systems with custom backdoor malware.
“One of the methods the attackers used was to interact with the researchers & get them to follow a link on Twitter to a write-up hosted on a malicious website,” said researchers with Malwarebytes.
“Shortly after the visit, a malicious service was installed on the researcher’s system & an in-memory backdoor would begin to communicate with a command & control (C&C) server. This sure sounds like something that could be accomplished using a heap buffer overflow in a browser.”
However, Google has not confirmed any correlation with this attack.
Google Chrome Browser – Update!
Researchers ask Google Chrome users to update as soon as possible. Chrome will in many cases update to its newest version automatically, however security experts suggest that users double check that this has occurred. To check if an update is available:
- Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome
- If an update is available Chrome will notify users & then start the download process
- Users can then relaunch the browser to complete the update
Flaws Continue
The flaw is only the latest security issue in Google Chrome recently. In Jan., the Cybersecurity & Infrastructure Security Agency (CISA) urged Windows, macOS and Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.
In Dec., Google updated Chrome to fix 4 bugs with a severity rating of “high” & 8 overall. 3 were use-after-free flaws, which could allow an adversary to generate an error in the browser’s memory, opening the door to a browser hack & host computer compromise.
