Early this month, Google published a stable channel update for Chrome for Desktop. The new version (88.0.4324.150) released by Google for Windows, Mac, and Linux contains a critical bugfix for a zero-day vulnerability that was exploited in the wild.
This zero-day, labeled CVE-2021-21148, is a “heap overflow” memory corruption bug in the V8— Google Chrome’s open-source JavaScript and WebAssembly engine. This vulnerability was uncovered by Mattias Buelens. In the release, Google has also stated that it is “aware of reports that an exploit” for this vulnerability “exists in the wild”
A few days after the vulnerability was brought to light, Google reported about cyberattacks carried out by North Korean hackers against the cyber-sec community. Attackers lured IT pros to a blog and exploited browser zero-days to run malware on the IT pros’ systems.
It is important to note that CVE-2021-21148 is the third zero-day vulnerability of 2021. Before this browser-based zero-day vulnerability, Apple released iOS and iPadOS 14.4 to address two WebKit zero-day vulnerabilities (CVE-2021-1870, CVE-2021-1871) exploited in a similarly. Regular users are advised to either update their Google Chrome version or enable Chrome’s built-in update feature that automatically updates users’ Google Chrome version to the latest version available. You can enable this feature by going to the About Google Chrome section, from the Help option via the Chrome menu.