In total, the new update address two vulnerabilities which affect V8 and Chrome’s rendering engine Blink. Back in January, V8 was found to suffer from a high severity heap buffer overflow memory corruption bug.
Now though, a new V8 vulnerability (tracked as CVE-2021-21220) is being addressed alongside a use-after-free bug in Blink (tracked as CVE-2021-21206).
The Blink vulnerability was first discovered by Bruno Keith and Niklas Baumstark from Dataflow Security during the Zero Day Initiative’s recent Pwn2Own competition. While they did not release any proof-of-concept (PoC) code, Security researcher Rajvardhan Agarwal developed an exploit for the vulnerability and recently posted it on Twitter.
Chrome update 89.0.4389.128
In a new post on the Chrome Releases blog, Google explained that exploits for both the Blink vulnerability and the V8 vulnerability “exist in the wild”.
While Chrome’s Stable channel has been updated for the Windows, Mac and Linux versions of the browser and version 89.0.4389.128 is expected to be rolled out in the coming days/weeks, cybercriminals could still try to leverage these vulnerabilities in their attacks. This is because cybercriminals with advanced coding skills often try to reverse-engineer patches to discover what they protect against which allows them to target unpatched deployments.
Google Chrome users should update their browser to the latest version once it becomes available to protect themselves from any potential exploits leveraging these vulnerabilities.
Via The Register