Update Google Chrome now, warn both Google and the Department of Homeland Security, as hackers already have attack exploit code for a high-severity, zero-day vulnerability.
Homeland Security advises users to update Google Chrome browser
Google has confirmed that it is aware of reports that a zero-day Chrome browser exploit exists in the wild. The Department of Homeland Security cybersecurity agency, CISA, has advised users to update now.
A zero-day vulnerability remains a relatively rare event in cybersecurity terms, and as such is both a valuable and dangerous thing in the hands of threat actors. The term relates to a vulnerability that is actively exploited by hackers before it has been discovered by either the product vendor or the threat intelligence community. Only at the point of discovery, day zero, can mitigation efforts begin. This leaves the threat window wide open, often for weeks or months, to the attackers with that head start. Chrome has been subject to more than a few zero-days across the last few months, it has to be said, but just how serious is this latest threat?
How serious is the CVE-2021-21148 zero-day threat?
In the case of CVE-2021-21148 not a great deal is publicly known at this point in time. This isn't unusual as vendors and security researchers will work together to ensure full disclosure isn't made until the majority of users have had the chance to upgrade and patch the vulnerability. What is known is that this is a high-severity vulnerability in the Google Chrome WebAssembly and JavaScript engine, V8. Described as being a heap buffer overflow issue, this points to a threat of potential arbitrary code execution by someone attacking a computer running an unpatched version of the browser.
"It's hard to overstate how devastating vulnerabilities which can be leveraged without any interaction on the part of the end user, beyond loading a page can be," Mitch Mellard, a threat intelligence analyst at SY4 Security, says. "There was some optimism in the netsec community that with the forced retirement of Adobe Flash, exploits which could be triggered by simply visiting an endpoint would become fewer and farther between. Yet it feels like while the dirt atop the Flash grave is still fresh, we are observing browser vulnerabilities which evoke memories of exploit kits back in their heyday."
Although Google has confirmed that exploits are already known to exist in the wild, there has been no confirmation of those attacks or, indeed, the attackers with that exploit code. Which has led to some speculation that this could be related to the January warnings from Microsoft and Google of North Korean threat actors using a Chrome zero-day in an active hacking campaign aimed at security researchers.
I have reached out to Google for further information regarding both the vulnerability itself and the active exploitation it has reported.
Mitigation advice is simple: update now
Homeland Security's cybersecurity agency says it is encouraging both users and administrators to apply the necessary updates as soon as possible. These updates, for Windows, Mac and Linux versions of the Chrome browser, and those browsers such as Edge which are built using the same Chromium platform, will be rolling out "over the coming days and weeks," according to Google. The patched Chrome version to look out for is 88.0.4324.
Automatic updating ensures that Chrome is updated to the latest version once the browser is restarted. Of course, not everyone will have automatic updates enabled, and not all of those who do will reboot Chrome on a regular basis. To ensure you are protected from this threat, select 'About Google Chrome' from the three-dot menu which will kickstart the update process. Remember to restart the browser or the update will not have been applied.
My copy of Edge also already has the little update arrow sitting on the three-dots menu, meaning the update to version 88.0.705.62 is ready to install. Click on that arrow and the top menu item will be to update now. I strongly suggest you do just that. Like Chrome itself, the update will only be applied once you restart your browser.
"This zero-day vulnerability again emphasizes the importance of having an enterprise-wide comprehensive security program incorporating people, processes and technical controls," Niamh Muldoon, global data protection officer at OneLogin, says. "CISOs should be speaking to their leadership teams about the security posture of their technology environment that delivers their key products and services and provide assurance that associated exploitation risks associated with these identified vulnerabilities are patched."
Does this mean you should move away from Google Chrome?
The consensus of security opinion seems to be, quite rightly in my opinion, no.
"We often see zero days found in certain tech products. Quite often, this isn't the result of the product suddenly becoming insecure," says Javvad Malik, security awareness advocate at KnowBe4, but rather it's because a researcher or group of researchers have spent some time taking a deep dive into the inner workings of a particular product or tool." Malik explains that "we see the same pattern repeat over time, whether it be because certain products achieve greater publicity or when there is more focus on it from an attack perspective."
"According to CVE Details, since 2016 - 2017, Google Chrome has been subjected to an increased number of new vulnerabilities related to both code execution and gaining information," David Kennefick, product architect at Edgescan, says, "I would suggest that this is related to the value of the data that an attacker could access, so more effort is being expended to discover vulnerabilities that could better enable data exfiltration."
"Just like Internet Explorer before it, Google Chrome has over 60% market share and as a result it is opportune target for those looking for security vulnerabilities," Stephen Kapp, chief technology officer at Cortex Insight, points out. "Vulnerabilities in software is just part of the course and when something is as widely used as Google Chrome, the extra scrutiny is warranted and it only makes the software better over time."
