Google released fixes for five security bugs found in its Chrome browser, one of which was a zero-day vulnerability exploited in the wild.
The latest news from Google warning to patch Chrome vulnerabilities came on the heels of news early last week from Menlo Security that the vast majority of Chrome users take close to one month to install a new patch.
Google reported that the bugs affect the Windows, MacOS and Linux versions of the popular Chrome browser. The company also said it’s aware that an exploit for CVE-2021-21193 exists in the wild and that the newly discovered zero-day stems from a use-after-free flaw in Blink, a browser rendering engine developed as part of Chromium.
Security researchers are concerned that a remote attacker could exploit the zero-day vulnerability by tricking an unsuspecting user into visiting a specially crafted website, and then executing arbitrary code or causing a Denial-of-Service (DoS) attack on the vulnerable system.
Attackers can share and replicate these zero-day exploits much faster than the speed at which many organizations can patch, said Greg Ake, senior threat researcher at Huntress. He said identifying zero-days early in their lifecycle reduces overall risk for users of the software but does not help if a user’s computer was already compromised.
“Once an adversary has made use of the initial browser vulnerability, they can run additional tools and malicious code on the computer, allowing them to persist on the network and to begin work on satisfying their objectives,” Ake said. “Unfortunately, we see the continued need to remind users and businesses that fundamental cyber hygiene is important and the basics of a security program are key to a strong defensive strategy.”
Hank Schless, senior manager, security solutions at Lookout, added that Google has patched vulnerabilities quickly because Chrome runs over the cloud across Windows, Mac, Android, iOS and other devices. He said today’s news underscores why it’s important to use a cloud-based solution rather than legacy apps supported by on-premises infrastructure.
“If these vulnerabilities were found in an on-premises service, the onus would be on each organization’s administrators to manually run updates,” Schless said. “The lag time between when a vulnerability is discovered and the patch gets installed represents a window of opportunity for attackers to exploit the vulnerability, infiltrate the infrastructure and steal valuable data.”