If you use Google Chrome or a Chromium-based browser such as Microsoft Edge, update it immediately and/or check it for updates over the coming days: there is a zero-day bug being “actively exploited” in the older version of Chrome that will also affect other vendors’ browsers.
“Google is aware of reports that an exploit for CVE-2021-21148 [the zero-day; more details below] exists in the wild,” said the loquacious adtech firm in a statement.
The V8 vuln affects Chromium-based browsers in general and not just Google Chrome itself. Tarquin Wilton-Jones, developer at Vivaldi, told The Register: “This is a generic Chromium issue, and affects Chromium-based browsers. We released an update for our desktop stable channel yesterday, which includes the Chromium update for this issue. We are currently testing our Android build with the update, and hope to have it released soon.”
Vivaldi composes sweet ad-blocking symphony for users of browser’s Android version
This means users of Microsoft Edge, Brave, and other fringe browsers need to get updating pronto. Firefox users may enjoy a moment – but only a moment – of smugness.
Two days later, Google’s Threat Analysis Group warned the world that North Koreans were probing zero-day researchers, though there is no evidence so far to suggest a firm link between the two.
OmahaProxy, a site that tracks what’s running under the hood in Chrome, shows that between the previous stable build (88.0.4324.146) and the latest (ending 150) V8’s version number was incremented, from 8.8.278.14 to .15 in the newest Chrome version.
Rubbish software security patches responsible for a quarter of zero-days last year
The Chromium log for the latest version (88.0.4324.150), naturally, contains no specific details of the bug yet. Chromium’s automatic vuln disclosure terms are for details to be published 14 weeks after a fix, if the bug isn’t revealed sooner.
Back in early November, Google patched another Chrome-affecting bug in V8 that allowed a remote attacker to exploit heap corruption through a specially crafted HTML page. Details of that bug haven’t yet entered the public domain but should do so pretty soon, if Google abides by its own 14-week disclosure rules. ®