Google fixes exploited Chrome zero-day dropped on Twitter
CVEs Affected- CVE-2021-21224, CVE-2021-21222, CVE-2021-21225, CVE-2021-21223, CVE-2021-21226
How does the exploitation work?
- The bug is triggered when performing integer data type conversion, resulting in an out-of-bounds condition that could be used to achieve arbitrary memory read/write primitive.
- Google is aware of reports that exploits for CVE-2021-21224 exist in the wild.
- Remote code execution vulnerability is not capable of escaping Chromium's sandbox security feature. Chromium's sandbox is a security feature that prevents exploits from executing code or accessing files on host computers.
- The new zero-day in its current state cannot harm users unless they disable the sandbox.
- After disabling the sandbox, the exploit could launch Notepad on Google Chrome 89.0.4389.128 and Microsoft Edge 89.0.774.76, which are the latest versions of both browsers.
- Google has released Chrome 90.0.4430.85 to address an actively exploited zero-day and four other high severity security vulnerabilities impacting today's most popular web browser.
- Chrome 90.0.4430.85 is expected to roll out in the coming days. Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.
- The version released on April 20th, 2021, to the Stable desktop channel for Windows, Mac, and Linux users will be rolling out to all users over the coming weeks.