Two days after the release of the critical vulnerability of Chrome was published, Google another Chrome update 88.0.4324.150, which fixes the CVE-2021-21148 vulnerability already used by cybercriminals in exploits (0-day). details are not disclosed yet , it is only known that the vulnerability is caused by a heap overflow in the V8 JavaScript engine.
The problem is assigned a high, but not critical, hazard level, i.e. it is indicated that the vulnerability does not allow to bypass all levels of browser protection and is not enough to execute code on the system outside the sandbox environment. The vulnerability in Chrome itself does not allow bypassing the sandbox environment, and a full attack requires the use of another vulnerability in the operating system.
Some analysts suggest that the vulnerability was used in an exploit used in the attack disclosed at the end of January ZINC on security researchers (last year a fictitious researcher was promoted on Twitter and various social networks, who initially earned a positive reputation for himself by publishing reviews and articles about new vulnerabilities, but with the publication of another article applied an exploit with a 0-day vulnerability that runs code on the system when a link is clicked in Chrome for Windows).
Additionally, there are several security-related Google posts that have appeared recently:
- Report on exploits with 0-day vulnerabilities identified by the Project Zero team in the past year. The article provides statistics that 25% of the studied 0-day vulnerabilities were directly related to previously publicly disclosed and fixed vulnerabilities, i.e. the authors of 0-day exploits found a new attack vector due to an insufficiently complete or poor-quality fix (for example, developers of vulnerable programs often fix only a special case or simply pretend to be a fix without getting to the root of the problem). Such 0-day vulnerabilities could potentially have been avoided with more thorough investigation and fixing of the vulnerabilities.
- Report on compensation paid to Google security researchers for identifying vulnerabilities … A total of $ 6.7 million in premiums were paid in 2020, which is $ 280,000 more than in 2019 and almost twice as much as in 2018. A total of 662 awards were paid. The largest prize was $ 132,000. $ 1.74 million was spent on payments related to the security of the Android platform, $ 2.1 million – Chrome, $ 270 thousand – Google Play and $ 400 thousand for research grants.