Google recently patched a potentially disastrous zero-day vulnerability in the desktop app of the Chrome web browser. The company also acknowledged that the exploit is being actively exploited in the wild.
In the recent release update from the Chrome team, it patched the issue with an update for the Windows, Mac, and Linux app to fix the heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.
The fix comes weeks after Google and Microsoft revealed details about a widespread social engineering attack carried out by North Korean hackers. In a report that Microsoft published shortly after the attack, it hinted that the hackers might have leveraged a potential zero-day vulnerability to carry out the attack. On January 24, Mattias Buelens reported the security flaw to Google.
Google’s statement however, doesn’t clarify if the attackers indeed leveraged the vulnerability. The attackers are said to belong to a North Korean state-sponsored hacking group known as Lazarus and were unsuccessful in their attempts to plant a Windows backdoor. Bug fixers at Google had a busy year last 2020, fixing five zero-day vulnerabilities in Chrome. The case was similar this year around, with Google addressing six issues already within the first couple of months.
