Google has patched a zero-day vulnerability in Chrome internet browser for desktop that it says is being actively exploited within the wild.
“Google is conscious of studies that an exploit for CVE-2021-21148 exists within the wild,” the corporate stated in an announcement.
The safety flaw was reported to Google by Mattias Buelens on January 24.
Beforehand on February 2, Google addressed six issues in Chrome, together with one vital use after free vulnerability in Funds (CVE-2021-21142) and 4 excessive severity points in Extensions, Tab Teams, Fonts, and Navigation options.
Whereas it is typical of Google to restrict particulars of the vulnerability till a majority of customers are up to date with the repair, the event comes weeks after Google and Microsoft disclosed assaults carried out by North Korean hackers in opposition to safety researchers with an elaborate social engineering marketing campaign to put in a Home windows backdoor.
With some researchers contaminated just by visiting a pretend analysis weblog on totally patched methods operating Home windows 10 and Chrome browser, Microsoft, in a report revealed on January 28, had hinted that the attackers possible leveraged a Chrome zero-day to compromise the methods.
Though it isn’t instantly clear if CVE-2021-21148 was utilized in these assaults, the timing of the revelations and the truth that Google’s advisory got here out precisely in the future after Buelens reported the problem implies they could possibly be associated.
In a separate technical write-up, South Korean cybersecurity agency ENKI said the North Korean state-sponsored hacking group often called Lazarus made an unsuccessful try at focusing on its safety researchers with malicious MHTML information that, when opened, downloaded two payloads from a distant server, considered one of which contained a zero-day in opposition to Web Explorer.
“The secondary payload comprises the assault code that assaults the vulnerability of the Web Explorer browser,” ENKI researchers stated.
It is price noting that Google final yr fixed five Chrome zero-days that have been actively exploited within the wild in a span of 1 month between October 20 and November 12.