Google is moving to patch a serious zero-day vulnerability in Google Chrome that if exploited, could enable arbitrary code execution on a target system.
Assigned CVE-2021-21148, the bug is being described as a heap buffer overflow that exists in the V8 component of Chrome, prior to version 88.0.4234.150. It was initially reported on 24 January 2021, according to Google, which believes an exploit may already exist in the wild.
No further details of the issue have been made available at the time of writing, and there have been no reports of compromise via the vulnerability. Nevertheless, the US government’s Cybersecurity and Infrastructure Security Agency (CISA) has advised users to upgrade to version 88.0.4324.146 for Windows, Mac and Linux at their earliest convenience.
Cybersmart CEO and co-founder Jamie Akhtar said that given the severity and scope of the vulnerability Chrome users could find themselves a prime target.
“As usual, hackers across the world, both nation-state and criminal are quickly exploiting critical vulnerabilities in the wild,” he said.
“On the plus side, a security benefit of using Chrome or a modern browser is the auto-update functionality – this has plagued many legacy applications.”
“This is built on the secure by design principle where Chrome updates itself while in use, requiring the user to only restart their browser,” said Akhtar.
ProPrivacy researcher Aaron Drapkin said: “Google Chrome’s admission that there is a zero-day exploit in the wild should worry everyone using the browser.
“We’re talking about a vulnerability being actively leveraged by hackers whilst remaining elusive to Google concurrently. They can only fight back when they discover what this is – which will mark day zero of mitigation,” he said.
“Zero-day exploits are not uncommon and can be expected in a browser so many people use, but for this particular vulnerability, day zero is yet to happen. This means ensuring your Chrome browser is running the most recent software available is paramount. Updating your browser with a patch is the best – and the only – thing you can do.”
There has already been some unconfirmed speculation that the zero-day may be linked in some way to a spate of cyber attacks against bona fide security researchers, perpetrated by malicious actors backed by the North Korean government.
This campaign, which was disclosed by Google in January 2021, saw its victims duped by sock puppet social media accounts and other social engineering techniques.
The systems compromised were running fully-patched – at the time – versions of Microsoft Windows 10 and Chrome.