Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine

JS component seems to be focus of researchers and miscreants alike


Google has announced new updates to Chrome 89 following the discovery of yet another live exploit for a vulnerability in the V8 JavaScript engine.

One of the flaws affects V8, which in January was found to suffer from a heap overflow bug severe enough to prompt a round of updates. This time round the V8 vulnerability is accompanied by a use-after-free vuln in Chrome's rendering engine Blink.

The Blink vuln was discovered during the Zero Day Initiative's Pwn2Own competition last week. No proof-of-concept code has yet been released by legitimate sources, though a very short gif of it in action was published on Twitter by bug hunters Dataflow Security.

Nonetheless, Google warned in its update notes for the new browser version, 89.0.4389.128, that exploits for CVE-20201-21206 (Blink) and CVE-2021-21220 (V8) "exist in the wild." It is also common for increasingly advanced criminals to reverse-engineer patches to figure out what they protect against, as vividly highlighted by SAP last week. Having done so, crims then rush out to target unpatched deployments.

Both CVEs were said by Google to be "high" severity, though scoring details and schema were not given. The V8 vuln, explained only as "insufficient validation of untrusted input in V8 for x86_64," is noteworthy because it seems to be an increasing focus for researchers and malicious folk alike; back in January a Chrome update was prompted after live exploits were seen in the wild for a V8 heap corruption vuln.

Browser Version Chromium version
Google Chrome 89.0.4389.128 89.0.4389.128
Microsoft Edge 89.0.774.75 89.0.4389.114
Opera 75.0.3969.171 89.0.4389.114
Vivaldi 3.7.2218.45 89.0.4389.116
Brave 1.22.71 89.0.4389.114

At the time of publication on 14 April

Tarquin Wilton Jones, a security expert from Chromium browser maker Vivaldi, told The Register that today's updates were fairly routine, saying: "It is not surprising to see two or more issues being fixed in the same piece of software in quick succession."

He added that Vivaldi would be incorporating the Chromium updates in its own next minor update, commenting: "What is important is how much research goes into potentially severe issues, and how rapidly issues are fixed. Chromium has an excellent reputation for both, as well as sandbox technology as an extra layer of protection that often reduces or mitigates issues completely. Issues are taken extremely seriously by the project, even if they do not manage to break out of the sandbox."

Joseph Carson, chief security scientist of access management firm Thycotic, told The Register: "The RCE (remote code execution) could allow attackers to run code on your endpoints which prompted Google to respond quickly to fix these exploits and when Google responds quickly, it's an urgent indicator that you must also."

sap hq in dresden

SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers

READ MORE

Adding to this, Ed Williams, EMEA director of Trustwave's research tentacle SpiderLabs, said the patches raised "a number of interesting questions."

"It shows how difficult it is to write secure code," he said. "If Google, with all their knowledge, experience and expertise are writing vulnerable code then what does that mean for the rest of us mere mortals? For me, the answer lies in a multi-pronged approach. Secure Development Lifecycle (SDLC) and all that comes with is key, coupled with a robust and consistent penetration testing programme of key areas."

Williams also praised "the security research community" for uncovering the two vulnerabilities. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021