Security News > 2021 > April > Update Your Chrome Browser to Patch 2 New In-the-Wild 0-Day Exploits
Google on Tuesday released a new version of Chrome web-browsing software for Windows, Mac, and Linux with patches for two newly discovered security vulnerabilities for both of which it says exploits exist in the wild, allowing attackers to engage in active exploitation.
UPDATE: Agarwal, in an email to The Hacker News, confirmed that there's one more vulnerability affecting Chromium-based browsers that has been patched in the latest version of V8, but has not been included in the Chrome release rolling out today, thereby leaving users potentially vulnerable to attacks even after installing the new update.
"I suspect that the first patch was released with the Chrome update because of the published exploit but as the second patch was not applied to Chrome, it can still be exploited."
"Google is aware of reports that exploits for CVE-2021-21206 and CVE-2021-21220 exist in the wild," Chrome Technical Program Manager Prudhvikumar Bommana noted in a blog post.
Since the start of the year, Google has fixed three shortcomings in Chrome that have been under attack, including CVE-2021-21148, CVE-2021-21166, and CVE-2021-21193.
Users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaws.
News URL
Related news
- Week in review: MS Office flaw may leak NTLM hashes, malicious Chrome, Edge browser extensions (source)
- New Chrome zero-day actively exploited, patch quickly! (CVE-2024-7971) (source)
- Qilin ransomware now steals credentials from Chrome browsers (source)
- Russian APT29 hackers use iOS, Chrome exploits created by spyware vendors (source)
- Midnight Blizzard delivered iOS, Chrome exploits via compromised government websites (source)
- Russian Hackers Exploit Safari and Chrome Flaws in High-Profile Cyberattack (source)
- North Korean hackers exploit Chrome zero-day to deploy rootkit (source)
- North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit (source)
- September 2024 Patch Tuesday forecast: Downgrade is the new exploit (source)
- Exploit code released for critical Ivanti RCE flaw, patch now (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-04-26 | CVE-2021-21206 | Use After Free vulnerability in multiple products Use after free in Blink in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2021-04-26 | CVE-2021-21220 | Out-of-bounds Write vulnerability in multiple products Insufficient validation of untrusted input in V8 in Google Chrome prior to 89.0.4389.128 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2021-03-16 | CVE-2021-21193 | Use After Free vulnerability in multiple products Use after free in Blink in Google Chrome prior to 89.0.4389.90 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2021-03-09 | CVE-2021-21166 | Data race in audio in Google Chrome prior to 89.0.4389.72 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2021-02-09 | CVE-2021-21148 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |