Security News > 2021 > February > Chrome zero-day browser bug found – patch now!

Google, whose Project Zero bug-hunting team is often surprisingly vocal when describing and discussing software vulnerabilities, has taken a very quiet approach to a just-patched bug in its Chrome browser.

The phrase "Exploit exists in the wild" is shorthand for "The crooks found this vulnerability before we did and are already using it in real-life attacks".

Crooks with access to a reliable browser RCE exploit - for example, one that can be triggered by a deliberately booby-trapped image file or a purposefully malformed HTML document - have a powerful and treacherous way of injecting unauthorised program code into your browser.

By simply luring you to a web page that contains a suitably booby-trapped exploit file, the crooks can trick your browser into downloading, processing, and choking on, their exploit.

Once the crooks get that far, you have to assume that they can pull off a variety of additional attacks, such as reading private browser data, including authentication cookies; snooping on your browsing activity; modifying the pages served up by other websites; and implanting malware that will keep on running even after you exit the subverted browser process.

In this case, we're assuming that the exploit is triggered using booby-trapped JavaScript files, given that the buffer overflow bug exists in V8, which is the name of the JavaScript processing code used by Chrome and Chromium-based browsers.

News URL

https://nakedsecurity.sophos.com/2021/02/05/chrome-zero-day-browser-bug-found-patch-now/