In an advisory dated 20 April (US time), the company merely said that the stable branch of Chrome had been updated for Windows, Mac and Linux. It said it was aware that exploits for this latest flaw were floating around the Internet.
The new release also fixes four other serious flaws in Chrome, the browser with the biggest market share globally.
Srinivas Sista of the Chrome project said in the advisory that "access to bug details and links may be kept restricted until a majority of users are updated with a fix".
Veteran security reporter Ryan Naraine noted: "This is the fourth in-the-wild Chrome zero-day discovered so far in 2021 and the continued absence of IOC [indicators of compromise] data or any meaningful information about the attacks continue to raise eyebrows among security experts."
The community organisation Centre for Internet Security detailed the bugs made known on Tuesday as given under:
- A heap buffer overflow vulnerability that exists in the ‘V8' component. (CVE-2021-21222)
- An integer overflow vulnerability that exists in the ‘Mojo’ component. (CVE-2021-21223)
- A type confusion vulnerability that exists in the ‘V8’ component. (CVE-2021-21224)
- An out of bounds memory access vulnerability exists in the ‘V8’ component. (CVE-2021-21225)
- A use after free vulnerability exists in the ‘navigation’ component. (CVE-2021-21226)
Several other browsers like Brave, Microsoft Edge and Vivaldi use the same engine; Google has an open-source version of Chrome known as Chromium and the code is taken from that project.
Two more Chrome zero-days were reported last week, with both being disclosed on Twitter.
One, by Indian researcher Rajvardhan Agarwal, was technically a one-day bug, something he acknowledged himself.
The other, dropped by a Chinese researcher known as frust, included a YouTube video of the way in which the vulnerability could be exploited.
The video showed how the vulnerability could be used to open applications on Windows desktops, with the example in question being the Notepad application.
Commenting on the latest Chrome flaw, Satnam Narang, staff researcher engineer with security shop Tenable, said it was not uncommon for Google to hold back on vulnerability details, especially when flaws were being exploited in the wild.
"Their intention is to give users and organisations time to apply these patches before sharing further information," he told iTWire in response to a query.
"In some instances, Google will provide additional context, as they did in March 2019 when they also discovered a separate Windows vulnerability was used to escape the Sandbox.
"It is certainly an alarming trend that several zero-days have been patched in Google Chrome since the beginning of 2021 and some proof-of-concept details are being shared publicly. As we noted in our 2020 Threat Landscape Retrospective report, we saw over 35% of zero-days were browser-based, underscoring their prominence."