The use-after-free vulnerability is the third Google Chrome zero-day flaw to be disclosed in three months.
Google is hurrying out a fix for a vulnerability in its Chrome browser that’s under active attack – its third zero-day flaw so far this year. If exploited, the flaw could allow remote code-execution and denial-of-service attacks on affected systems.
The vulnerability exists in Blink, the browser engine for Chrome developed as part of the Chromium project. Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users.
“The Stable channel has been updated to 89.0.4389.90 for Windows, Mac and Linux which will roll out over the coming days/weeks,” according to Google’s Friday security update.
The flaw (CVE-2021-21193) ranks 8.8 out of 10 on the CVSS vulnerability-rating scale, making it high-severity. It’s a use-after-free vulnerability, which relates to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program, according to a description of the vulnerability.
Use-After-Free Zero-Day Flaw
According to an IBM X-Force vulnerability report, the flaw could allow a remote attacker to execute arbitrary code on the system.
“By persuading a victim to visit a specially crafted website, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial-of-service condition on the system,” according to the report.
Further details are scant because “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google. The bug was credited to an anonymous reporter.
Google also did not provide further specifics on the exploits other than to say it “is aware of reports that an exploit for CVE-2021-21193 exists in the wild.”
Threatpost has reached out to Google for further comment.
Other Google Chrome Security Flaws
Beyond the zero-day flaw, Google issued four other security fixes on Friday.
These included another high-severity use-after-free flaw (CVE-2021-21191), which exists in WebRTC. WebRTC, which stands for web real-time communications, is an open-source project that gives web browsers and mobile applications interactive communications capabilities (such as voice, video and chat). The flaw was reported by someone who goes under the alias “raven” (@raid_akame on Twitter).
Another high-severity flaw is a heap-buffer overflow error (CVE-2021-21192) that stems from Chrome tab groups. The flaw was reported by Abdulrahman Alqabandi with Microsoft Browser Vulnerability Research.
Third Zero-Day Chrome Security Flaw This Year
The use-after-free flaw is the third zero-day flaw to plague Google’s Chrome browser in the past three months — and the second this month alone. Earlier in March, Google said it fixed a high-severity zero-day vulnerability in its Chrome browser, which stems from the audio component of the browser.
And in February, Google warned of a zero-day vulnerability in its V8 open-source web engine that’s being actively exploited by attackers; a patch for which was issued in version 88 of Google’s Chrome browser.
Chrome will in many cases update to its newest version automatically — however, Chrome users can double check if an update has been applied:
- Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome
- If an update is available Chrome will notify users and then start the download process
- Users can then relaunch the browser to complete the update