- Google announced a new Chrome update on Thursday, which patches a severe zero-day bug in the internet browser.
- The security vulnerability might have been exploited in the wild.
- Google’s Chrome update follows recent reports that North Korean hackers used zero-day attacks on internet browsers to run malware on computers belonging to cyber-security researchers.
Google’s Chrome is the world’s most popular internet browser. It’s available not just on Windows and Mac but also on iPhone and Android. Google often releases new versions of Chrome, which bring over new features and performance improvements. The latest update includes several novelties as well, like the new password management tool that helps you change potentially compromised or weak passwords. But Google also updates Chrome each time it has to patch a security issue that hackers can exploit, and Google did just that on Thursday. You should stop what you’re doing online right now and ensure that Google Chrome 88.0.4324.150 is the latest version of the browser installed on your machine. If it’s not, then download the update and reboot Chrome.
The update contains an exploit for a zero-day vulnerability that hackers have already abused in the wild. That means some people may have already been attacked via the new exploit, although it’s unclear how the security vulnerability was used.
The CVE-2021-21148 security issue is described as a “heap overflow” memory corruption bug in the V8 JavaScript engine, ZDNet reports. Google confirmed the bug was exploited in attacks before security researcher Mattias Buelens disclosed the issue. That was on January 24th, so Google was quick to take action and fix it.
Coincidentally, Google’s security team published a report two days after Buelens’s disclosure, detailing cyberattacks that North Korean hackers carried out against the cyber-security community. These attacks included luring researchers to a blog where attackers targeted zero-day bugs to run malware on the researchers’ computers.
Microsoft said in a report on January 28th that the attackers likely used a zero-day Chrome attack. But a South Korean security company also pointed out an Internet Explorer zero-day bug used in the hack.
There’s no indication that the CVE-2021-21148 zero-day is the vulnerability that hackers used in those attacks, as Google made no mention of it. But the succession of recent events does suggest that Google might have taken swift action to prevent similar attacks. Google did say in a note on its blog that it would reveal more details about the bug once most users have upgraded:
Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This seems to indicate the security issue is quite severe and that, again, you should update Chrome to 88.0.4324.150 as soon as it’s available. The update was released for Windows, Mac, and Linux.