Google Patches Zero-Day Vulnerability in ChromeFlaw Being Exploited in the Wild
Google has rolled out patches for a zero-day vulnerability in the popular web browser Chrome that's being exploited in the wild.
The vulnerability, tracked as CVE-2021-21166, was first reported by Alison Huffman of Microsoft Browser Vulnerability Research. The flaw exploits the audio component of the browser, but Google says the flaw stems from an object life cycle issue.
"A separate object lifecycle flaw, also identified in the audio component, was reported to Google on February 4, the same day the stable version of Chrome 88 became available," Google notes.
In addition to the zero-day patch, Google's Tuesday patch of Chrome includes 46 other vulnerability fixes; eight of those are considered high severity. These include heap buffer overflows in TabStrip, CVE-2021-21159 and CVE-2021-21161; Web Audio, CVE-2021-21160; and in WebRTC, CVE-2021-21162.
Exploit Details Not Revealed
Google did not reveal how the Chrome zero-day vulnerability is being exploited.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google says. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed."
Paul Ducklin, principal research scientist at Sophos, says that there is a possibility that some sort of remote code execution attack is taking advantage of the Chrome zero-day flaw. This might open the door to installing malware on a computer without the user noticing.
"Given that this [zero-day] bug apparently has something to do with audio processing, [it is likely] the bug can be deliberately and remotely triggered by serving up some audio-related data via a booby-trapped web page," Ducklin adds.
Other Chrome Issues
Last year, several other Chrome security issues were revealed.
In December 2020, researchers at the security firm Avast found 28 malicious third-party browser extensions used with Google Chrome and Microsoft Edge that had been downloaded about 3 million times (see: Malicious Browser Extensions Downloaded 3 Million Times).
In June 2020, Awake Security discovered 70 Chrome extensions could be used to steal users' credentials and security tokens. The extensions were then removed.
Google removed 500 Chrome extensions from its online store in February 2020 after researchers found that attackers were using them to steal browser data (see: Google Removes 500 Chrome Extensions Tied to Malvertising).
In October 2019, Google updated its security and privacy requirements for developers who want to post new extensions in the company's official online store.