Google is rushing out a fix for a vulnerability in its Chrome browser that is under active attack – its 3rd zero-day flaw so far in 2021. If exploited, the flaw could allow remote code-execution & denial-of-service attacks on affected systems.
The use-after-free vulnerability is the 3rd Google Chrome zero-day flaw to be disclosed in only 3 quicklymonths.
The vulnerability exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents & other web page resources into the visual representations viewable to the end users.
“The Stable channel has been updated to 89.0.4389.90 for Windows, Mac and Linux which will roll out over the coming days/weeks,” according to Google’s Fri. security update.
The flaw (CVE-2021-21193) ranks 8.8 out of 10 on the CVSS vulnerability-rating scale, making it high-severity. It is a use-after-free vulnerability, which relates to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program, according to a description of the vulnerability.
According to an IBM X-Force vulnerability report, the flaw could allow a remote attacker to execute arbitrary code on the system.
“By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,” according to the report.
Further details are limited because “access to bug details & links may be kept restricted until a majority of users are updated with a fix,” states Google. The bug was credited to an ‘anonymous reporter.’
Google also did not provide further specifics on the exploits other than to say it “is aware of reports that an exploit for CVE-2021-21193 exists in the wild.”
Beyond the zero-day flaw, Google issued 4 other security fixes on Fri.
These included another high-severity use-after-free flaw (CVE-2021-21191), which exists in WebRTC. WebRTC, which stands for web real-time communications, is an open-source project that gives web browsers & mobile applications interactive communications capabilities (such as voice, video & chat). The flaw was reported by someone who goes under the alias “raven” (@raid_akame on Twitter).
Another high-severity flaw is a heap-buffer overflow error (CVE-2021-21192) that stems from Chrome tab groups. The flaw was reported by Abdulrahman Alqabandi with Microsoft Browser Vulnerability Research.
3rd 2021 Zero-Day Chrome Problem
The use-after-free flaw is the 3rd zero-day flaw to affect Google’s Chrome browser in the past 3 months & the 2nd this month alone. Earlier in March, Google said it fixed a high-severity zero-day vulnerability in its Chrome browser, which stems from the audio component of the browser.
Also, in Feb., Google warned of a zero-day vulnerability in its V8 open-source web engine that’s being actively exploited by attackers; a patch for which was issued in version 88 of Google’s Chrome browser.
Chrome will in many cases update to its newest version automatically — however, Chrome users can double-check if an update has been applied:
- Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome
- If an update is available Chrome will notify users & then start the download process
- Users can then relaunch the browser to complete the update