On Friday, Google took significant steps to address another actively exploited zero-day vulnerability in its Chrome browser. This marks the second such fix in just a month, underscoring the ongoing risks present in web browsing environments.
The release of Chrome version 89.0.4389.90 for Windows, Mac, and Linux is expected to roll out to users over the coming days and weeks. This update addresses a total of five security issues, but one particular flaw has raised alarms within cybersecurity circles—a “use after free” vulnerability in the Blink rendering engine, identified as CVE-2021-21193.
Details regarding this vulnerability remain limited; however, it was reported to Google by an anonymous researcher on March 9. The flaw has been rated 8.8 out of 10 on the CVSS scale, indicating its severity. It could potentially allow a remote attacker to execute arbitrary code on the affected system—an exploit scenario that could be triggered by convincing a user to visit a specifically crafted website. The report alerts that such an exploit could lead not just to arbitrary code execution but also to denial-of-service conditions on the affected devices.
As is typical with zero-day vulnerabilities, Google has confirmed the existence of exploits targeting CVE-2021-21193 without divulging extensive information prior to the majority of users securing their systems. This approach aims to mitigate further risk, preventing additional threat actors from developing exploits for this specific vulnerability.
According to Chrome Technical Program Manager Prudhvikumar Bommana, Google is aware that exploits for this vulnerability are “in the wild.” This is particularly concerning given that 2021 has already seen several critical flaws addressed in the Chrome environment. Earlier updates included fixes for an object lifecycle issue and a heap buffer overflow vulnerability, both of which posed significant risks to user security.
Existing Chrome users should take immediate action to update their browsers. This can be accomplished through the browser settings under Help > About Google Chrome, ensuring that they are running the latest version to safeguard against these identified vulnerabilities.
In assessing the tactics and techniques that could have been employed in the exploitation of CVE-2021-21193, one might refer to the MITRE ATT&CK framework. Relevant tactics could include initial access through social engineering techniques, allowing the attacker to gain entry by luring users to malicious sites. Once access is gained, persistence techniques may be employed by the attacker to maintain continuous access, potentially broadening the attack surface.
As Google continues to refine its security measures, business owners need to remain vigilant against such vulnerabilities, recognizing that the ever-evolving landscape of cybersecurity threats requires constant awareness and timely updates to software systems.
To echo the importance of timely updates, users are urged to act swiftly to mitigate any associated risks. With the frequency of zero-day vulnerabilities being addressed, proactive measures are essential for ensuring the security of business operations in an increasingly connected digital landscape.
