



Google has addressed a new zero-day flaw in the Chrome browser that is actually being exploited. This is the second flaw within a month.

Google has fixed a new zero-day that is being actively abused in the Chrome browser. This is the second zero-day issue that IT giants have addressed within a month. This flaw, tracked as CVE-2021-21193, is used because it is not vulnerable to the Blink rendering engine.

Google has addressed this issue with the 89.0.4389.90 version for Windows, Mac, and Linux. It will be available in the next few days.

This flaw was reported to Google on March 9 by an anonymous researcher. At the time of this writing, details of the vulnerability have not been disclosed to prevent other threat actors from actually exploiting the issue.

Google has also addressed four other vulnerabilities.

“This update contains five security fixes. The following highlights the fixes provided by external researchers. For more information, please visit Chrome’s security page.” Google published Read the post you made.

[$500][1167357] High CVE-2021-21191: Used after release by WebRTC. Reported by raven (@raid_akame) on 2021-01-15[$TBD][1181387] High CVE-2021-21192: Tab group heap buffer overflow. Report by Abdulrahman Alqabandi of Microsoft Browser Vulnerability Research on 2021-02-23[$TBD][1186287] High CVE-2021-21193: Used after release with Blink. Reported anonymously on 2021-03-09.

“Google is aware of reports that the CVE-2021-21193 exploit actually exists.”

Prudhvikumar Bommana, Chrome Technical Program Manager, added that Google has detected some bugs using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL.

CVE-2021-21193 is Chrome’s third zero-day flaw that has been actively exploited and has been addressed since January.

In early February, Google addressed an aggressively exploited zero-day vulnerability (tracked as CVE-2021-21148) with the release of the Chrome88.0.4324.150 version. The vulnerability is a heap buffer overflow that exists in V8, an open source high-performance JavaScript and WebAssembly engine written in C ++.

Earlier this month, Google addressed another zero-day issue that was tracked as CVE-2021-21166 and is actually being exploited.

In 2020, Google will address five actual exploited Chrome zero-day attacks.

In October, the IT giant undertook three zero-day attacks:

CVE-2020-15999 This flaw is a memory corruption bug in the FreeType font rendering library included in the standard Chrome release. CVE-2020-16009 is a Google Chrome Freetype heap buffer overflow. CVE-2020-16010 Affects the browser user interface (UI) component of Chrome for Android.

In November, the company addressed two other zero-day vulnerabilities that were actively exploited in the wild.

Both zero-day defects tracked as CVE-2020-16013 and CVE-2020-16017 were reported by anonymous sources.

Pierluigi Paganini

(SecurityAffairs hack, Google)

