Google Patches Actively Exploited Flaw in Chrome Browser

A flaw (CVE-2021-21166) in the Audio component of Google Chrome is fixed in a new update being pushed out to Windows, Mac and Linux users.

Google has fixed a high-severity vulnerability in its Chrome browser and is warning Chrome users that an exploit exists in the wild for the flaw.

The vulnerability is one of 47 security fixes that the tech giant rolled out on Tuesday in Chrome 89.0.4389.72, including patches for eight high-severity flaws.

“The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux,” according to Google on Tuesday. “This will roll out over the coming days/weeks.”

Google Chrome: Actively-Exploited Security Flaw

The actively-exploited vulnerability in question (CVE-2021-21166) stems from the audio component of the browser (which has previously been found to have various security issues in the past). According to Google, the flaw stems from an object lifecycle issue. The object lifecycle is the duration in which a programming language object is valid for use – between the time it is created and destroyed.

Beyond Google noting that it “is aware of reports that an exploit for CVE-2021-21166 exists in the wild,” further information about the glitch is unavailable. That’s because “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google.

The flaw was reported by Alison Huffman, with the Microsoft Browser Vulnerability Research team, on Feb. 11. Huffman reported another high-severity flaw that Google fixed in Chrome, which also stemmed from an object lifecycle issue in the audio component (CVE-2021-21165).

Other Chrome Security High-Severity Flaws

Details around the other high-severity vulnerabilities patched by Google in Chrome remain scant. However, Google said that it fixed three heap-buffer overflow flaws in the TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160) components. A high-severity use-after-free error (CVE-2021-21162) was found in WebRTC.

Two other high-severity flaws include an insufficient data validation issue in Reader Mode (CVE-2021-21163) and an insufficient data validation issue in Chrome for iOS (CVE-2021-21164).

Google Chrome Security Updates

Chrome will in many cases update to its newest version automatically, however security experts suggest that users double check that this has happened. To check if an update is available:

  • Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome
  • If an update is available Chrome will notify users and then start the download process
  • Users can then relaunch the browser to complete the update

The fixes come after Google in February warned of a zero-day vulnerability in its V8 open-source web engine that’s being actively exploited by attackers. In January, the Cybersecurity and Infrastructure Security Agency (CISA) urged Windows, macOS and Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.

And in December, Google updated Chrome to fix four bugs with a severity rating of “high” and eight overall. Three were use-after-free flaws, which could allow an adversary to generate an error in the browser’s memory, opening the door to a browser hack and host computer compromise.

Suggested articles