Security Market Segment LS
Thursday, 22 April 2021 06:47

Google patches yet another Chrome zero-day, tight-lipped about details Featured

By
Google patches yet another Chrome zero-day, tight-lipped about details Image by Clker-Free-Vector-Images from Pixabay

Search giant Google has been forced to patch yet another zero-day in its Chrome browser, the fourth this year, but the company has not provided any indicators of compromise or other details n its advisory.

In an advisory dated 20 April (US time), the company merely said that the stable branch of Chrome had been updated for Windows, Mac and Linux. It said it was aware that exploits for this latest flaw were floating around the Internet.

The new release also fixes four other serious flaws in Chrome, the browser with the biggest market share globally.

Srinivas Sista of the Chrome project said in the advisory that "access to bug details and links may be kept restricted until a majority of users are updated with a fix".

"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed," he added.

Veteran security reporter Ryan Naraine noted: "This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC [indicators of compromise] data or any meaningful information about the attacks continue to raise eyebrows among security experts."

The only statement regarding the vulnerability under exploitation was that it was a type confusion bug in the V8 JavaScript engine used by the browser and was reported by Jose Martinez, a researcher from security firm VerSprite.

The community organisation Centre for Internet Security detailed the bugs made known on Tuesday as given under:

  • A heap buffer overflow vulnerability that exists in the ‘V8' component. (CVE-2021-21222)
  • An integer overflow vulnerability that exists in the ‘Mojo’ component. (CVE-2021-21223)
  • A type confusion vulnerability that exists in the ‘V8’ component. (CVE-2021-21224)
  • An out of bounds memory access vulnerability exists in the ‘V8’ component. (CVE-2021-21225)
  • A use after free vulnerability exists in the ‘navigation’ component. (CVE-2021-21226)

Several other browsers like Brave, Microsoft Edge and Vivaldi use the same engine; Google has an open-source version of Chrome known as Chromium and the code is taken from that project.

Two more Chrome zero-days were reported last week, with both being disclosed on Twitter.

One, by Indian researcher Rajvardhan Agarwal, was technically a one-day bug, something he acknowledged himself.

The other, dropped by a Chinese researcher known as frust, included a YouTube video of the way in which the vulnerability could be exploited.

The video showed how the vulnerability could be used to open applications on Windows desktops, with the example in question being the Notepad application.

Commenting on the latest Chrome flaw, Satnam Narang, staff researcher engineer with security shop Tenable, said it was not uncommon for Google to hold back on vulnerability details, especially when flaws were being exploited in the wild.

"Their intention is to give users and organisations time to apply these patches before sharing further information," he told iTWire in response to a query.

"Once again, this latest vulnerability (CVE-2021-21224) exists in the V8 JavaScript engine. As with some of the more recent Chrome zero-days in V8, this vulnerability needs to be paired with a separate vulnerability to escape the Chrome sandbox, lessening its impact.

"In some instances, Google will provide additional context, as they did in March 2019 when they also discovered a separate Windows vulnerability was used to escape the Sandbox.

"It is certainly an alarming trend that several zero-days have been patched in Google Chrome since the beginning of 2021 and some proof-of-concept details are being shared publicly. As we noted in our 2020 Threat Landscape Retrospective report, we saw over 35% of zero-days were browser-based, underscoring their prominence."


Subscribe to ITWIRE UPDATE Newsletter here

GRAND OPENING OF THE ITWIRE SHOP

The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.

ENTER THE SHOP NOW!

INTRODUCING ITWIRE TV

iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the iTWire.com site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.

SEE WHAT'S ON ITWIRE TV NOW!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

WEBINARS ONLINE & ON-DEMAND

GUEST ARTICLES

VENDOR NEWS

Guest Opinion

Guest Interviews

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News

Comments