Google has rolled out fixes for five security vulnerabilities in
its Chrome web browser, including one which it says is being
exploited in the wild, making it the 17th such weakness[1]
to be disclosed since the start of the year.
Tracked as CVE-2021-4102[2], the flaw relates to a
use-after-free bug[3]
in the V8 JavaScript and WebAssembly engine, which could have
severe consequences ranging from corruption of valid data to the
execution of arbitrary code. An anonymous researcher has been
credited with discovering and reporting the flaw.
As it stands, it’s not known how the weakness is being abused in
real-world attacks, but the internet giant issued a terse statement
that said, “it’s aware of reports that an exploit for CVE-2021-4102
exists in the wild.” This is done so in an attempt to ensure that a
majority of users are updated with a fix and prevent further
exploitation by other threat actors.
CVE-2021-4102 is the second use-after-free vulnerability in V8
the company has remediated in less than three months following
reports of active exploitation, with the previous vulnerability
CVE-2021-37975[4], also reported by an
anonymous researcher, plugged in an update it shipped on September
30. It’s not immediately clear if the two flaws bear any relation
to one another.
With this latest update, Google has addressed a record 17
zero-days in Chrome this year alone —
Chrome users are recommended to update to the latest version
(96.0.4664.110) for Windows, Mac, and Linux by heading to Settings
> Help > ‘About Google Chrome’ to mitigate any potential risk
of active exploitation.
References
- ^
17th
such weakness (thehackernews.com) - ^
CVE-2021-4102
(chromereleases.googleblog.com) - ^
use-after-free bug
(cwe.mitre.org) - ^
CVE-2021-37975
(thehackernews.com)
Read more https://thehackernews.com/2021/12/update-google-chrome-to-patch-new-zero.html