Security News > 2021 > April > Google fixes exploited Chrome zero-day dropped on Twitter last week

Google has released Chrome 90.0.4430.85 to address an actively exploited zero-day and four other high severity security vulnerabilities impacting today's most popular web browser.

PoC dropped on Twitter, zero-day fixed one week later.

Google did not share any details on the zero-day besides describing it as a 'Type Confusion in V8' and saying that it was reported by VerSprite Inc's Jose Martinez.

Martinez linked it to a proof-of-concept exploit publicly shared on Twitter one week ago after his initial Chrome Vulnerability Reward Program report from April 5th. This remote code execution vulnerability cannot be exploited by attackers to escape Chromium's sandbox security feature.

The zero-day PoC for CVE-2021-21224 was dropped on Twitter one day after Google released Chrome 89.0.4389.128 to fix another zero-day bug with a PoC exploit publicly shared two days earlier.

Timeline:5th April: I've submitted my bug to Google Chrome VRP report12th April: I've submitted my RCE 0day exploit12th April: Google patched v8 engine, but also made regress/unittest public14th April: people viralized 1day exploit.

News URL

https://www.bleepingcomputer.com/news/security/google-fixes-exploited-chrome-zero-day-dropped-on-twitter-last-week/