In this month’s update of Chrome 89.0.4389.90, another zero-day vulnerability has been patched by Google that was being exploited in the wild.
From Google’s perspective, the organization is aware of the zero-day vulnerability tracked as CVE-2021-21193 and hence subsequently released the aforementioned update.
Severity of the zero-day vulnerability:
The vulnerability has scored a high severity rating on the CVSS rating scale consequently highlighting the potential risk of the vulnerability.
The zero-day vulnerability has been characterized by Google as a “use after free bug” in the Blink component of its browser.
Blink is an open-source browser layout engine developed by Google for its Chromium project and subsequently for the Chrome browser.
To the unaware, a “use after free” bug is a memory corruption bug that arises when an application tries to use unassigned memory that may have been dedicated to it beforehand.
Detailing the vulnerability, the zero-day gave a threat actor the ability to remotely execute arbitrary code on the compromised system. Malicious actors can direct victim traffic to malicious websites that can be specially assembled to implement the arbitrary code or cause a DDoS i.e the distributed-denial-of-service attack on the compromised victim or system.
Mitigating zero-day risks:
Google, even though being aware of the vulnerability is yet to comment and provide information on the active exploitation of the now patched vulnerability.
“Access to the vulnerability details and links may be kept confined until a majority of users are updated with a fix,” states Google.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Unless legitimate information gets disclosed by Google, users should linger before installing the security update rolling out over the coming days to mitigate risks of the vulnerability getting exploited further.