Google says new updates of its Chrome browser have a zero-day vulnerability that threat actors are actively exploiting. Specifically, the flaw is found in current versions of Google Chrome. This release covers Windows, Mac, and Linux versions of Chrome meaning all are at risk.

According to the company, there is a flaw in the V8 open-source web engine that runs Chrome. A patch has already been included in version 88.0.4234.150, which is rolling out over the coming days and weeks.

Google points out a heap-buffer overflow issue is causing the vulnerability, which is known as CVE-2021-21148.

“Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” Google’s Thursday security update reads. As usual, Google will keep most details under wraps until the patch has reached enough users.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” said Google. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

What’s the Problem?

A heap-buffer overflow is an error in buffer-overflow that affects processing memory. Specifically, the sections of a process’ memory that hosts dynamic variables (also called the heap) becomes overloaded and overflows. When this happens it can cause the program to misbehave and lead to memory access errors and program freezing.

It also causes vulnerabilities that bad actors can exploit with remote code execution attacks. That’s the general explantation but we need to wait for Google to offer more details to understand the specifics of this flaw.

As always, updating is a good way to protect against the vulnerability. While Google Chrome updates automatically, users can update manually. That could be helpful here because the automatic patch is rolling out in phases. To check if Chrome needs an update, head to chrome://settings/help by clicking Settings > About Chrome.

It is worth noting this vulnerability is unrelated to an incident last week where Microsoft Defender for Endpoint was flagging a Chrome update as malicious. It seems that incident remains an accident from the over-sensitive Microsoft Defender.  

Tip of the day:

Thanks to the Windows Subsystem for Linux (WSL) you can run complete Linux distributions within Windows 10. In our tutorial, we show you how to install Ubuntu or other Linux packages and how to activate the bash shell.