Google Chrome Zero-Day Under Attack, Again


For the third time this year, Google has shipped an urgent fix to block in-the-wild zero-day attacks hitting its flagship Chrome browser.

The latest emergency Chrome patch, available for Windows, MacOS and Linux, provides cover for at least five (5) documented vulnerabilities. Three of the five bugs are rated “high-risk,” Google’s highest severity rating.

Buried in Google’s advisory is a throwaway line that “Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild.”

The company did not release any additional information on the live attacks or the operating system platforms being targeted.  

It is the third in-the-wild zero-day attack hitting Chrome users in 2021, and in all three cases, Google has been stingy with information on the malware used, the OS platforms targeted or the indicators of compromise that help enterprise defenders.  

In one prominent case, the North Korean state-sponsored hacks against security researchers, Google has barely confirmed the existence of the Chrome zero-day with a one-line mentioned that fully-patched Chrome installations were being compromised. 

The latest zero-day is described simply as a use-after-free vulnerability in Chrome’s Blink rendering engine that was anonymously reported to Google.

By contrast, when Google research teams discovered a massive cyber-espionage operation rampant on Apple’s iOS platform, the company produced a riveting blog post with “a very deep dive into iOS Exploit chains found in the wild.”

The Chrome patch is being pushed to Chrome users via the browser’s automatic updating mechanism but users are urged to restart browser sessions to properly apply the fixes.

Related: Google Chrome, Microsoft IE Zero-Days in Crosshairs

RelatedGoogle Warns of North Korean Gov Hackers Targeting Security Researchers

view counter

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. He is a regular speaker at cybersecurity conferences around the world.
Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan’s career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC World.
Follow Ryan on Twitter @ryanaraine.

Previous Columns by Ryan Naraine:
Tags:



Don't forget to share

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *