Security News > 2021 > April > Google fixes exploited Chrome zero-day dropped on Twitter last week
Google has released Chrome 90.0.4430.85 to address an actively exploited zero-day and four other high severity security vulnerabilities impacting today's most popular web browser.
PoC dropped on Twitter, zero-day fixed one week later.
Google did not share any details on the zero-day besides describing it as a 'Type Confusion in V8' and saying that it was reported by VerSprite Inc's Jose Martinez.
Martinez linked it to a proof-of-concept exploit publicly shared on Twitter one week ago after his initial Chrome Vulnerability Reward Program report from April 5th. This remote code execution vulnerability cannot be exploited by attackers to escape Chromium's sandbox security feature.
The zero-day PoC for CVE-2021-21224 was dropped on Twitter one day after Google released Chrome 89.0.4389.128 to fix another zero-day bug with a PoC exploit publicly shared two days earlier.
Timeline:5th April: I've submitted my bug to Google Chrome VRP report12th April: I've submitted my RCE 0day exploit12th April: Google patched v8 engine, but also made regress/unittest public14th April: people viralized 1day exploit.
News URL
Related news
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)
- Google Chrome’s AI feature lets you quickly check website trustworthiness (source)
- Google says new scam protection feature in Chrome uses AI (source)
- Google Chrome uses AI to analyze pages in new scam detection feature (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-04-26 | CVE-2021-21224 | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | 8.8 |