One of the flaws affects V8, which in January was found to suffer from a heap overflow bug severe enough to prompt a round of updates. This time round the V8 vulnerability is accompanied by a use-after-free vuln in Chrome's rendering engine Blink.
The Blink vuln was discovered during the Zero Day Initiative's Pwn2Own competition last week. No proof-of-concept code has yet been released by legitimate sources, though a very short gif of it in action was published on Twitter by bug hunters Dataflow Security.
Confirmed! The @dfsec_it team of @bkth_ & @_niklasb used a Typer Mismatch bug to exploit the #Chrome renderer and #Microsoft #Edge. They earn $100,000 total and 10 Master of Pwn points. #Pwn2Own pic.twitter.com/6mpl5GPz6c— Zero Day Initiative (@thezdi) April 7, 2021
Nonetheless, Google warned in its update notes for the new browser version, 89.0.4389.128, that exploits for CVE-20201-21206 (Blink) and CVE-2021-21220 (V8) "exist in the wild." It is also common for increasingly advanced criminals to reverse-engineer patches to figure out what they protect against, as vividly highlighted by SAP last week. Having done so, crims then rush out to target unpatched deployments.
Both CVEs were said by Google to be "high" severity, though scoring details and schema were not given. The V8 vuln, explained only as "insufficient validation of untrusted input in V8 for x86_64," is noteworthy because it seems to be an increasing focus for researchers and malicious folk alike; back in January a Chrome update was prompted after live exploits were seen in the wild for a V8 heap corruption vuln.
At the time of publication on 14 April
Tarquin Wilton Jones, a security expert from Chromium browser maker Vivaldi, told The Register that today's updates were fairly routine, saying: "It is not surprising to see two or more issues being fixed in the same piece of software in quick succession."
He added that Vivaldi would be incorporating the Chromium updates in its own next minor update, commenting: "What is important is how much research goes into potentially severe issues, and how rapidly issues are fixed. Chromium has an excellent reputation for both, as well as sandbox technology as an extra layer of protection that often reduces or mitigates issues completely. Issues are taken extremely seriously by the project, even if they do not manage to break out of the sandbox."
Joseph Carson, chief security scientist of access management firm Thycotic, told The Register: "The RCE (remote code execution) could allow attackers to run code on your endpoints which prompted Google to respond quickly to fix these exploits and when Google responds quickly, it's an urgent indicator that you must also."
SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customersREAD MORE
Adding to this, Ed Williams, EMEA director of Trustwave's research tentacle SpiderLabs, said the patches raised "a number of interesting questions."
"It shows how difficult it is to write secure code," he said. "If Google, with all their knowledge, experience and expertise are writing vulnerable code then what does that mean for the rest of us mere mortals? For me, the answer lies in a multi-pronged approach. Secure Development Lifecycle (SDLC) and all that comes with is key, coupled with a robust and consistent penetration testing programme of key areas."
Williams also praised "the security research community" for uncovering the two vulnerabilities. ®