Google’s Chrome browser has several security vulnerabilities that could pave the way to multiple types of attacks, including a V8 bug that could allow remote code execution (RCE) within a user’s browser.
The high-severity V8 issue is tracked as CVE-2021-21227, and was reported by Gengming Liu from Singular Security Lab. Google describes the bug as “insufficient data validation in V8” but is keeping other details close to its vest.
However, Liu told SecurityWeek that the bug is somewhat mitigated by the fact that it doesn’t allow attackers to escape the sandbox where Chrome runs, meaning attackers can’t reach any of the other program, data and applications on the computer. Thus, CVE-2021-21227 would need to be chained with another vulnerability in order to successfully wreak havoc on a target’s machine beyond the browser itself.
The researcher also noted that his discovery is related to prior, now-patched V8 vulnerabilities (CVE-2020-16040 and CVE-2020-15965). The first allows a remote attacker to exploit heap corruption if a user visits, or is redirected to, a specially crafted web page. The latter is a type-confusion bug that allows a remote attacker to potentially perform out of bounds memory access, also exploitable with a specially crafted HTML page.
Meanwhile, according to another report, the implications of an attack using the bug depends on the privileges associated with the application: In the worst-case scenario, an attacker could view, change or delete data.
And, if someone has turned off sandboxing, all bets are off.
Google recently patched a zero-day in Chrome (for which a researcher dropped code on Twitter). That was another V8 issue that allowed RCE inside the browser app (but not sandbox escape).
Nine Chrome 90 Patches to Roll Out
Details of all nine of the Google Chrome vulnerabilities are as follows. They affect Chrome and possibly other browsers, like Microsoft Edge, that use the Chromium framework:
- CVE-2021-21227: Insufficient-data-validation vulnerability that exists in the V8 component.
- CVE-2021-21228: Insufficient-policy-enforcement vulnerability that exists in extensions.
- CVE-2021-21229: Incorrect-security-UI vulnerability exists in downloads.
- CVE-2021-21230: Type-confusion vulnerability exists in the V8 component.
- CVE-2021-21231: Insufficient-data-validation vulnerability exists in the V8 component.
- CVE-2021-21232: Use-after-free vulnerability that exists in Dev Tools component.
- CVE-2021-21233: Heap-buffer-overflow vulnerability that exists in the ANGLE component.
Google has addressed the flaws in its latest stable channel release (90.0.4430.93) for Windows, Mac and Linux, delivered on Tuesday. The Chrome 90 updates will roll out over the next days and weeks, the search giant said.
Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on Wed, May 12 at 2:00 PM EDT. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.