Security News > 2021 > April > Google fixes exploited Chrome zero-day dropped on Twitter last week
Google has released Chrome 90.0.4430.85 to address an actively exploited zero-day and four other high severity security vulnerabilities impacting today's most popular web browser.
PoC dropped on Twitter, zero-day fixed one week later.
Google did not share any details on the zero-day besides describing it as a 'Type Confusion in V8' and saying that it was reported by VerSprite Inc's Jose Martinez.
Martinez linked it to a proof-of-concept exploit publicly shared on Twitter one week ago after his initial Chrome Vulnerability Reward Program report from April 5th. This remote code execution vulnerability cannot be exploited by attackers to escape Chromium's sandbox security feature.
The zero-day PoC for CVE-2021-21224 was dropped on Twitter one day after Google released Chrome 89.0.4389.128 to fix another zero-day bug with a PoC exploit publicly shared two days earlier.
Timeline:5th April: I've submitted my bug to Google Chrome VRP report12th April: I've submitted my RCE 0day exploit12th April: Google patched v8 engine, but also made regress/unittest public14th April: people viralized 1day exploit.
News URL
Related news
- Google fixes ninth Chrome zero-day exploited in attacks this year (source)
- Google fixes ninth Chrome zero-day tagged as exploited this year (source)
- Google tags a tenth Chrome zero-day as exploited this year (source)
- Google Fixes High-Severity Chrome Flaw Actively Exploited in the Wild (source)
- New Chrome zero-day actively exploited, patch quickly! (CVE-2024-7971) (source)
- Week in review: PostgreSQL databases under attack, new Chrome zero-day actively exploited (source)
- Google Warns of CVE-2024-7965 Chrome Security Flaw Under Active Exploitation (source)
- Google increases Chrome bug bounty rewards up to $250,000 (source)
- North Korean hackers exploit Chrome zero-day to deploy rootkit (source)
- North Korean Hackers Deploy FudModule Rootkit via Chrome Zero-Day Exploit (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-04-26 | CVE-2021-21224 | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | 8.8 |