Security News > 2021 > April > Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine
Google has announced new updates to Chrome 89 following the discovery of yet another live exploit for a vulnerability in the V8 JavaScript engine.
One of the flaws affects V8, which in January was found to suffer from a heap overflow bug severe enough to prompt a round of updates.
Google warned in its update notes for the new browser version, 89.0.4389.128, that exploits for CVE-20201-21206 and CVE-2021-21220 "Exist in the wild." It is also common for increasingly advanced criminals to reverse-engineer patches to figure out what they protect against, as vividly highlighted by SAP last week.
The V8 vuln, explained only as "Insufficient validation of untrusted input in V8 for x86 64," is noteworthy because it seems to be an increasing focus for researchers and malicious folk alike; back in January a Chrome update was prompted after live exploits were seen in the wild for a V8 heap corruption vuln.
Tarquin Wilton Jones, a security expert from Chromium browser maker Vivaldi, told The Register that today's updates were fairly routine, saying: "It is not surprising to see two or more issues being fixed in the same piece of software in quick succession."
He added that Vivaldi would be incorporating the Chromium updates in its own next minor update, commenting: "What is important is how much research goes into potentially severe issues, and how rapidly issues are fixed. Chromium has an excellent reputation for both, as well as sandbox technology as an extra layer of protection that often reduces or mitigates issues completely. Issues are taken extremely seriously by the project, even if they do not manage to break out of the sandbox."
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-04-26 | CVE-2021-21220 | Out-of-bounds Write vulnerability in multiple products Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |