Security News > 2021 > April > Google fixes exploited Chrome zero-day dropped on Twitter last week

Google fixes exploited Chrome zero-day dropped on Twitter last week
2021-04-21 17:03

Google has released Chrome 90.0.4430.85 to address an actively exploited zero-day and four other high severity security vulnerabilities impacting today's most popular web browser.

PoC dropped on Twitter, zero-day fixed one week later.

Google did not share any details on the zero-day besides describing it as a 'Type Confusion in V8' and saying that it was reported by VerSprite Inc's Jose Martinez.

Martinez linked it to a proof-of-concept exploit publicly shared on Twitter one week ago after his initial Chrome Vulnerability Reward Program report from April 5th. This remote code execution vulnerability cannot be exploited by attackers to escape Chromium's sandbox security feature.

The zero-day PoC for CVE-2021-21224 was dropped on Twitter one day after Google released Chrome 89.0.4389.128 to fix another zero-day bug with a PoC exploit publicly shared two days earlier.

Timeline:5th April: I've submitted my bug to Google Chrome VRP report12th April: I've submitted my RCE 0day exploit12th April: Google patched v8 engine, but also made regress/unittest public14th April: people viralized 1day exploit.


News URL

https://www.bleepingcomputer.com/news/security/google-fixes-exploited-chrome-zero-day-dropped-on-twitter-last-week/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2021-04-26 CVE-2021-21224 Type Confusion vulnerability in multiple products
Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
network
low complexity
google debian fedoraproject CWE-843
8.8

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Google 103 256 4322 4698 744 10020
Twitter 5 0 6 2 0 8