Google on Tuesday released a new version of Chrome web-browsing
software for Windows, Mac, and Linux with patches for two newly
discovered security vulnerabilities for both of which it says
exploits exist in the wild, allowing attackers to engage in active
exploitation.
One of the two flaws concerns an insufficient validation of
untrusted input in its V8 JavaScript rendering engine
(CVE-2021-21220), which was demonstrated by Dataflow Security’s
Bruno Keith and Niklas Baumstark at the Pwn2Own 2021[1]
hacking contest last week.
While Google moved to fix the flaw quickly, security researcher
Rajvardhan Agarwal published a working exploit[2]
over the weekend by reverse-engineering the patch that the Chromium
team pushed to the open-source component, a factor that may have
played a crucial role in the release.
Also resolved by the company is a use-after-free[3]
vulnerability in its Blink browser engine (CVE-2021-21206). An
anonymous researcher has been credited with reporting the flaw on
April 7.
“Google is aware of reports that exploits for CVE-2021-21206 and
CVE-2021-21220 exist in the wild,” Chrome Technical Program Manager
Prudhvikumar Bommana noted[4]
in a blog post.
It’s worth noting that the existence of an exploit is not
evidence of active exploitation. It’s not clear if the flaws are
under active attack by threat actors. Since the start of the year,
Google has fixed three shortcomings in Chrome that have been under
attack, including CVE-2021-21148[5], CVE-2021-21166[6], and CVE-2021-21193[7].
Chrome 89.0.4389.128 is expected to roll out in the coming days.
Users can update to the latest version by heading to Settings >
Help > About Google Chrome to mitigate the risk associated with
the flaws.
References
- ^
Pwn2Own
2021 (thehackernews.com) - ^
working
exploit (thehackernews.com) - ^
use-after-free
(cwe.mitre.org) - ^
noted
(chromereleases.googleblog.com) - ^
CVE-2021-21148
(thehackernews.com) - ^
CVE-2021-21166
(thehackernews.com) - ^
CVE-2021-21193
(thehackernews.com)