Google fixes exploited Chrome zero-day dropped on Twitter

April 27, 2021

Google disclosed a new zero-day vulnerability that stems from a type of confusion bug in the V8 JavaScript engine that is used in Chrome and other Chromium-based web browsers. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. The tech titan has not disclosed any further details about the security loopholes until most users have had a chance to update their web browsers to the newest available version, mitigating the chance of the vulnerabilities being exploited by threat actors.

CVEs Affected- CVE-2021-21224, CVE-2021-21222, CVE-2021-21225, CVE-2021-21223, CVE-2021-21226

How does the exploitation work?

The bug is triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be used to achieve arbitrary memory read/write primitive.
Google is aware of reports that exploits for CVE-2021-21224 exist in the wild.
Remote code execution vulnerability is not capable of escaping Chromium’s sandbox security feature. Chromium’s sandbox is a security feature that prevents exploits from executing code or accessing files on host computers.
The new zero-day in its current state cannot harm users unless they disable the sandbox.
After disabling the sandbox, the exploit could launch Notepad on Google Chrome 89.0.4389.128 and Microsoft Edge 89.0.774.76, which are the latest versions of both browsers.

Remediation:

Google has released Chrome 90.0.4430.85 to address an actively exploited zero-day and four other high severity security vulnerabilities impacting today’s most popular web
Chrome 90.0.4430.85 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.
The version released on April 20th, 2021, to the Stable desktop channel for Windows, Mac, and Linux users will be rolling out to all users over the coming weeks.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Google fixes exploited Chrome zero-day dropped on Twitter

CVEs Affected- CVE-2021-21224, CVE-2021-21222, CVE-2021-21225, CVE-2021-21223, CVE-2021-21226

How does the exploitation work?

Remediation:

Security Team

Related Posts

RomCom Exploits Zero-Day Firefox and Windows Flaws in Sophisticated Cyberattacks

Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor

Microsoft Launches Windows Resiliency Initiative to Boost Security and System Integrity

Our Offices

Corporate Office (HO):

UK Office:

Registered Office (Delhi):

Noida Office:

Phone:

Email

Click To Download

Download CyberSRC Services & Portfolio & Datasheets

Download Case Studies

Download Company Brochure