As of 2020, the Google Chrome browser had over a billion users and that is why any vulnerability if exploited in the browser can be devastating for unsuspecting users but at the same time, it can be lucrative for cyber criminals.
Google Patches Heap Buffer Overflow Flaw
Google’s Project Zero bug-hunters have patched a zero-day vulnerability in Chrome browser for desktop. It was a heap buffer overflow flaw classified as CVE-2021-21148.
Usually, Google discloses vulnerabilities after most of the users have updated their systems with a fix. However, in this case, Google revealed that it is aware of reports that “an exploit for CVE-2021-21148 exists in the wild.” The use of the phrase exists in the wild is crucial here as this means cybercrooks discovered the flaw before Google could.
Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed, the company said in a blog post.
Six Flaws Fixed by Google
Google’s Mattias Buelens reported the flaw on January 24th, 2021, and on February 2nd, the company addressed six flaws in the Chrome browser. This included a critical use-after-free flaw in Payments classified as CVE-2021-21142 and four high severity extensions in Navigation, Fonts, Tab Groups, and Extensions.
Interestingly, Google fixed five Chrome browser zero-days between October 20th and November 12th, 2020, all of which were actively exploited in the wild before patching.
Is Lazarus Group Targeting Windows Systems?
The disclosure comes weeks after Microsoft and Google revealed details of North Korean hackers‘ attacks against cybersecurity researchers. In that campaign, which Microsoft reported on January 28th, attackers tricked researchers into installing a Windows backdoor through social engineering.
Some targeted researchers got their devices infected after visiting a rogue research blog on patched systems running Windows 10 or Chrome browser. At the time, Google revealed that attackers most likely exploited a Chrome zero-day flaw for compromising the systems.
Though it isn’t yet clear whether they used the same vulnerability (CVE-2021-21148) in that campaign, the timing of the revelation and Google’s advisory implies that there could be a connection.
Nonetheless, if you are on Google Chrome update it to the latest version without further delay.