Security News > 2021 > February > Chrome zero-day browser bug found – patch now!
Google, whose Project Zero bug-hunting team is often surprisingly vocal when describing and discussing software vulnerabilities, has taken a very quiet approach to a just-patched bug in its Chrome browser.
The phrase "Exploit exists in the wild" is shorthand for "The crooks found this vulnerability before we did and are already using it in real-life attacks".
Crooks with access to a reliable browser RCE exploit - for example, one that can be triggered by a deliberately booby-trapped image file or a purposefully malformed HTML document - have a powerful and treacherous way of injecting unauthorised program code into your browser.
By simply luring you to a web page that contains a suitably booby-trapped exploit file, the crooks can trick your browser into downloading, processing, and choking on, their exploit.
Once the crooks get that far, you have to assume that they can pull off a variety of additional attacks, such as reading private browser data, including authentication cookies; snooping on your browsing activity; modifying the pages served up by other websites; and implanting malware that will keep on running even after you exit the subverted browser process.
In this case, we're assuming that the exploit is triggered using booby-trapped JavaScript files, given that the buffer overflow bug exists in V8, which is the name of the JavaScript processing code used by Chrome and Chromium-based browsers.
News URL
https://nakedsecurity.sophos.com/2021/02/05/chrome-zero-day-browser-bug-found-patch-now/
Related news
- New Chrome zero-day actively exploited, patch quickly! (CVE-2024-7971) (source)
- Malware force-installs Chrome extensions on 300,000 browsers, patches DLLs (source)
- Microsoft discloses Office zero-day, still working on a patch (source)
- Microsoft August 2024 Patch Tuesday fixes 9 zero-days, 6 exploited (source)
- Week in review: MS Office flaw may leak NTLM hashes, malicious Chrome, Edge browser extensions (source)
- Google fixes ninth Chrome zero-day exploited in attacks this year (source)
- Google fixes ninth Chrome zero-day tagged as exploited this year (source)
- Qilin ransomware now steals credentials from Chrome browsers (source)
- Week in review: PostgreSQL databases under attack, new Chrome zero-day actively exploited (source)
- Google tags a tenth Chrome zero-day as exploited this year (source)