On April 20, 2021, Google released Chrome 90.0.4430.85, designed to address a zero-day exploit hackers are currently taking advantage of, tracked as CVE-2021-21224. The patch also patches four other high severity security flaws that had previously been plaguing the most popular browser on the web. By the time you read these words, the latest version will be available for Windows, Mac and Linux users.
The other issues this latest patch addresses are tracked as follows:
- CVE-2021-21222 (a heap buffer overflow in V8)
- CVE-2021-21223 (an integer overflow in Mojo)
- CVE-2021-21225 (an out of bounds memory access issue in V8)
Needless to say, with a quartet of serious to critical severity flaws being addressed, this is an update you don’t want to miss.
If there’s a silver lining to be found, it lies in the fact that by itself, the remote code execution allowed by this particular zero-day exploit doesn’t allow a hacker to escape from Chrome’s sandbox. That’s not much of a silver lining though. The company explained in a blog post about the matter, and as demonstrated via a recently released proof of concept, it can easily be chained with another exploit to allow it to escape the sandbox.
Google and a number of other giant tech firms have been scrambling this year. They’ve been addressing zero-day and high severity security flaws left and right, trying gamely to stay one step ahead of the hackers, or at least not fall too far behind them.
Kudos to Google for taking fast action here. Be sure to update to the latest version as soon as feasible. If the current pace of patching holds, this is going to be a very busy year for everyone. Buckle up, it appears that 2021 is going to be a wild ride indeed.