Google has issued an emergency update to its Google Chrome browser to fix a worrying flaw that hackers are actively exploiting. The vulnerability, which is known as a “zero-day” because it’s already been discovered by cybercriminals, is found on almost all version of Chrome, including Windows 10, macOS, and Linux. Only Android and iOS seems to be safe from the attack.
Google Chrome is the most popular web browser on the planet, accounting for some 65 percent of all web traffic from desktop computers worldwide, so this is a big deal. The number of people who could be impacted by this vulnerability is dizzying. The latest update, branded 88.0.4324.150, is designed to fix the flaw, which has been labelled CVE-2021-21148 by Google.
“Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” the company said in a short statement about its latest update. We’re unlikely to hear much more from Google about the flaw until it’s confident that the vast majority of its users have updated to the latest version and are safe. That’s pretty standard practice with zero-day vulnerabilities. If the update was a preventative measure, Google might feel able to discuss details of the vulnerability and how it might have been exploited… but since there are hackers currently using the flaw to attack Chrome users – Google clearly doesn’t want to give any clues that might allow bad actors who haven’t yet uncovered the flaw to work out how to use it for their own ends. Google was purportedly made aware of the latest security flaw and its knowledge to the hacker community by Mattias Buelens on January 24, 2021.
The flaw pertains to a heap overflow corruption issue in the V8 JavaScript engine. Two days after Buelens made the report, Google’s Threat Analysis Group reports an active hacker threat out of North Korea that could possibly be related to the security vulnerability. The attack stemmed from various social media platforms and specifically target researchers. Clicking links on certain social media profiles led users to pages at which time the attackers attempted to inject malware via the browser. More details on that threat here.
Back on February 2, 2021, Google addressed six separate issues within Chrome, including four “high severity” issues that related to the Extensions, Tab Groups, Fonts, and Navigation features. And last year, Google fixed five separate zero-day issues within Chrome that were being exploited by hackers in the wild in the span of one month, between October 20 and November 12, 2020.
Commenting on the latest must-download update, CyberSmart co-founder Jamie Akhtar told Express.co.uk, “Given the severity and scope of CVE-2020-16009 (Windows, Mac, Linux with over 3 billion+ Chrome users), this is a prime target with significant reach. As usual, hackers across the world, both nation-state and criminals are quickly exploiting critical vulnerabilities in the wild.
“On the plus side, a security benefit of using Chrome or a modern browser is the auto-update functionality – this has plagued many legacy applications. This is built on the secure by design principle where Chrome updates itself while in use, requiring the user to only restart their browser.”