Google is warning of a zero-day vulnerability in its V8 open-source web engine that’s being actively exploited by attackers.
A patch has been issued in version 88 of Google’s Chrome browser — specifically, version 88.0.4324.150 for Windows, Mac and Linux. This update will roll out over the coming days and weeks, said Google. The flaw (CVE-2021-21148) stems from a heap-buffer overflow, said Google.
“Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” according to Google’s Thursday security update.
What is a Heap-Buffer Overflow Security Flaw?
A heap-buffer overflow flaw as its name suggests, is a type of buffer-overflow error. This is a class of vulnerability where the region of a process’ memory used to store dynamic variables (the heap) can be overwhelmed. If a buffer-overflow occurs, it typically causes the affected program to behave incorrectly, according to researchers with Imperva – causing memory access errors and crashes — and opening the door to remote code execution.
However, beyond classifying the flaw as a heap-buffer overflow, Google did not specify the potential impact of this vulnerability. In fact, details of the bug overall (including how it can be exploited) remain scant while Google works to push out the fixes.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” said Google. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
What is the V8 JavaScript Engine?
The heap-buffer overflow error exists in V8, an open-source WebAssembly and JavaScript engine developed by the Chromium Project for Google Chrome and Chromium web browsers. V8, which is written in C++, can run stand-alone, or can be embedded into any C++ application.
Bugs have previously been discovered (and exploited) in V8, including a flaw in November that was high-severity and tied to active exploits. That flaw was only described as an “inappropriate implementation in V8.”
Security Researchers: Targets for Chrome Zero-Day Exploits?
While Google didn’t provide further details of the attackers exploiting the flaw, researchers with Malwarebytes on Friday made a “general assumption” that the attack “was used against security researchers working on vulnerability research and development at different companies and organizations.”
They pointed to the timing of when the vulnerability was reported to Google by Mattias Buelens (Jan. 24) and when a report released by Google’s Threat Analysis Group (Jan. 26). That report by Google researchers revealed that hackers linked to North Korea were targeting security researchers with an elaborate social-engineering campaign that set up trusted relationships with them — and then infected their organizations’ systems with custom backdoor malware.
“One of the methods the attackers used was to interact with the researchers and get them to follow a link on Twitter to a write-up hosted on a malicious website,” said researchers with Malwarebytes. “Shortly after the visit, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin to communicate with a command and control (C&C) server. This sure sounds like something that could be accomplished using a heap buffer overflow in a browser.”
However, Google has not confirmed any correlation with this attack.
Google Chrome Browser: How to Update
Researchers urge Google Chrome users to update as soon as possible. Chrome will in many cases update to its newest version automatically, however security experts suggest that users double check that this has happened. To check if an update is available:
- Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome
- If an update is available Chrome will notify users and then start the download process
- Users can then relaunch the browser to complete the update
Google Chrome Cybersecurity Flaws Continue
The flaw is only the latest security issue in Google Chrome in recent months. In January, the Cybersecurity and Infrastructure Security Agency (CISA) urged Windows, macOS and Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.
And in December, Google updated Chrome to fix four bugs with a severity rating of “high” and eight overall. Three were use-after-free flaws, which could allow an adversary to generate an error in the browser’s memory, opening the door to a browser hack and host computer compromise.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!