If you haven’t recently checked what version of Google Chrome you are using, you should definitely check. Google recently addressed another actively exploited zero-day vulnerability in its browser, CVE-2021-21193.
This is the second time Google releases such an update within a month. In fact, it should be noted that the update consists of five fixes.
To be secure, you should be running Chrome version 89.0.4389.90 for Windows, Mac, and Linux operating systems.
More about CVE-2021-21193
This zero-day is described as “Use after free in Blink.” It was reported by an external researcher.
Google hasn’t provided much information about the bugs fixed with the latest Chrome stable release. However, the company has said that there are reports about the zero-day being exploited in the wild.
Three of the vulnerabilities were reported by external researchers, with bug bounties paid out:
[$500] High CVE-2021-21191: Use after free in WebRTC. Reported by raven (@raid_akame) on 2021-01-15
[$TBD] High CVE-2021-21192: Heap buffer overflow in tab groups. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-02-23
[$TBD] High CVE-2021-21193: Use after free in Blink. Reported by Anonymous on 2021-03-09
About a month ago, Google fixed a Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150. The vulnerability allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Google to include a new security feature against vulnerabilities
On the positive side, a new security improvement of Microsoft Edge and Google Chrome will be added to the browsers soon. Both Chrommium-based browsers will support a new security feature provided by Intel whose purpose is to protect against vulnerabilities.
Called CET, or Control-flow Enforcement Technology, the feature is based on a hardware component first introduced in 2016 and added to Intel’s 11th generation CPUs last year. Its purpose is to shield programs from Return Oriented Programming (ROP) and Jump Oriented Programming (JOP) attacks.
In terms of browser security, ROP and JOP attacks include bypassing the browser’s sandbox or performing remote code execution. The CET feature provided by Intel will block these attempts by enabling exceptions when the natural flow is altered.