Google patches an actively exploited Chrome zero-day

Google Chrome 88.0.4324.150 released with a fix. Users advised to update.

20120314-google-chrome-lapel-pin-4sts-011.jpg

Google has released today version 88.0.4324.150 of the Chrome browser for Windows, Mac, and Linux. Today's release contains only one bugfix for a zero-day vulnerability that was exploited in the wild.

The zero-day, which was assigned the identifier of CVE-2021-21148, was described as a "heap overflow" memory corruption bug in the V8 JavaScript engine.

Google said the bug was exploited in attacks in the wild before a security researcher named Mattias Buelens reported the issue to its engineers on January 24.

Two days after Buelens' report, Google's security team published a report about attacks carried out by North Korean hackers against the cyber-security community.

Some of these attacks consisted of luring security researchers to a blog where the attackers exploited browser zero-days to run malware on researchers' systems.

In a report on January 28, Microsoft said that attackers most likely used a Chrome zero-day for their attacks. In a report published today, South Korean security firm said they discovered an Internet Explorer zero-day used for these attacks as well.

Google did not say today if the CVE-2021-21148 zero-day was used in these attacks, although many security researchers believe it was so due to the proximity of the two events.

But despite how this zero-day was exploited, regular users are advised to use Chrome's built-in update feature to upgrade their browser to the latest version as soon as possible. This can be found via the Chrome menu, Help option, and About Google Chrome section.

Before today's patches, Google went through a spell last year where it patched five actively-exploited Chrome zero-days in a span of three weeks.