New Chrome Browser 0-day Under Active Attack—Update Immediately!

Google has patched a zero-day vulnerability in Chrome web browser for desktop that it says is being actively exploited in the wild.

The company released 88.0.4324.150 for Windows, Mac, and Linux, with a fix for a heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.

“Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” the company said in a statement.

The security flaw was reported to Google by Mattias Buelens on January 24.

Previously on February 2, Google addressed six issues in Chrome, including one critical use after free vulnerability in Payments (CVE-2021-21142) and four high severity issues in Extensions, Tab Groups, Fonts, and Navigation features.

While it’s typical of Google to limit details of the vulnerability until a majority of users are updated with the fix, the development comes weeks after Google and Microsoft disclosed attacks carried out by North Korean hackers against security researchers with an elaborate social engineering campaign to install a Windows backdoor.

With some researchers infected simply by visiting a fake research blog on fully patched systems running Windows 10 and Chrome browser, Microsoft, in a report published on January 28, had hinted that the attackers likely leveraged a Chrome zero-day to compromise the systems.

Although it’s not immediately clear if CVE-2021-21148 was used in these attacks, the timing of the revelations and the fact that Google’s advisory came out exactly one day after Buelens reported the issue implies they could be related.

In a separate technical write-up, South Korean cybersecurity firm ENKI said the North Korean state-sponsored hacking group known as Lazarus made an unsuccessful attempt at targeting its security researchers with malicious MHTML files that, when opened, downloaded two payloads from a remote server, one of which contained a zero-day against Internet Explorer.

“The secondary payload contains the attack code that attacks the vulnerability of the Internet Explorer browser,” ENKI researchers said.

It’s worth noting that Google last year fixed five Chrome zero-days that were actively exploited in the wild in a span of one month between October 20 and November 12.