Google fixes exploited Chrome zero-day dropped on Twitter

Google disclosed a new zero-day vulnerability that stems from a type of confusion bug in the V8 JavaScript engine that is used in Chrome and other Chromium-based web browsers. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data.  The tech titan has not disclosed any further details about the security loopholes until most users have had a chance to update their web browsers to the newest available version, mitigating the chance of the vulnerabilities being exploited by threat actors.

 

CVEs Affected- CVE-2021-21224, CVE-2021-21222, CVE-2021-21225, CVE-2021-21223, CVE-2021-21226

 

How does the exploitation work?

  1. The bug is triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be used to achieve arbitrary memory read/write primitive.
  2. Google is aware of reports that exploits for CVE-2021-21224 exist in the wild.
  3. Remote code execution vulnerability is not capable of escaping Chromium's sandbox security feature. Chromium's sandbox is a security feature that prevents exploits from executing code or accessing files on host computers.
  4. The new zero-day in its current state cannot harm users unless they disable the sandbox.
  5. After disabling the sandbox, the exploit could launch Notepad on Google Chrome 89.0.4389.128 and Microsoft Edge 89.0.774.76, which are the latest versions of both browsers.

 

Remediation:

  1. Google has released Chrome 90.0.4430.85 to address an actively exploited zero-day and four other high severity security vulnerabilities impacting today's most popular web browser.
  2. Chrome 90.0.4430.85 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.
  3. The version released on April 20th, 2021, to the Stable desktop channel for Windows, Mac, and Linux users will be rolling out to all users over the coming weeks.