Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Application Security

Google Chrome Zero-Day Under Attack, Again

For the third time this year, Google has shipped an urgent fix to block in-the-wild zero-day attacks hitting its flagship Chrome browser.

For the third time this year, Google has shipped an urgent fix to block in-the-wild zero-day attacks hitting its flagship Chrome browser.

The latest emergency Chrome patch, available for Windows, MacOS and Linux, provides cover for at least five (5) documented vulnerabilities. Three of the five bugs are rated “high-risk,” Google’s highest severity rating.

Buried in Google’s advisory is a throwaway line that “Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild.”

The company did not release any additional information on the live attacks or the operating system platforms being targeted.  

[ SEE: Google: North Korean Hackers Targeting Security Researchers ]

It is the third in-the-wild zero-day attack hitting Chrome users in 2021, and in all three cases, Google has been stingy with information on the malware used, the OS platforms targeted or the indicators of compromise that help enterprise defenders.  

In one prominent case, the North Korean state-sponsored hacks against security researchers, Google has barely confirmed the existence of the Chrome zero-day with a one-line mentioned that fully-patched Chrome installations were being compromised. 

The latest zero-day is described simply as a use-after-free vulnerability in Chrome’s Blink rendering engine that was anonymously reported to Google.

Advertisement. Scroll to continue reading.

By contrast, when Google research teams discovered a massive cyber-espionage operation rampant on Apple’s iOS platform, the company produced a riveting blog post with “a very deep dive into iOS Exploit chains found in the wild.”

The Chrome patch is being pushed to Chrome users via the browser’s automatic updating mechanism but users are urged to restart browser sessions to properly apply the fixes.

Related: Google Chrome, Microsoft IE Zero-Days in Crosshairs

RelatedGoogle Warns of North Korean Gov Hackers Targeting Security Researchers

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.

Register

Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...