Google has warned of reports that a zero-day vulnerability in the Chrome browser is being actively exploited in the wild.
The vulnerability, tracked as CVE-2021-21166, was reported by Alison Huffman from the Microsoft Browser Vulnerability Research team on February 11 and is described as an “object lifecycle issue in audio.”
Google has labeled the vulnerability as a “high” severity security flaw and has fixed the issue in the latest Chrome release.
Alongside CVE-2021-21166, Huffman also recently reported another high-severity bug, CVE-2021-21165, another object lifestyle issue in audio problem, and CVE-2021-21163, an insufficient data validation issue in Reader Mode.
The tech giant has not revealed further details concerning how CVE-2021-21166 is being exploited, or by whom.
Google’s announcement, published on Tuesday, also marked the release of Chrome 89 to the stable desktop channel for Windows, Mac, and Linux machines, which is currently rolling out. Users should upgrade to Chrome 89.0.4389.72 once available.
The Chrome 89.0.4389.72 release also contains a swathe of other security fixes and browser improvements. In total, 47 bugs have been patched, including a high-severity heap buffer overflow in TabStrip (CVE-2021-21159), another heap buffer overflow in WebAudio (CVE-2021-21160), and a use-after-free issue in WebRTC (CVE-2021-21162). A total of eight vulnerabilities are considered high-severity.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”
This week, Microsoft released urgent updates for four zero-day vulnerabilities in Exchange Server. Microsoft says the bugs are being exploited in “limited targeted attacks” and is urging users to update as quickly as possible.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0