Skip to main content

PSA: Update Chrome for Mac, as security flaw has been actively exploited

If you use Chrome for Mac, you’ll want to be sure it’s updated today: Google has just fixed a vulnerability that was being actively exploited by North Korean hackers …

Google characterizes it as a high-risk flaw.

This update includes 1 security fix. Please see the Chrome Security Page for more information.

[$TBD][1170176] High CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24

Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild.

CNET reports on the background, which saw security researchers as one of the targets.

The zero-day, which was assigned the identifier of CVE-2021-21148, was described as a “heap overflow” memory corruption bug in the V8 JavaScript engine.

Google said the bug was exploited in attacks in the wild before a security researcher named Mattias Buelens reported the issue to its engineers on January 24.

Two days after Buelens’ report, Google’s security team published a report about attacks carried out by North Korean hackers against the cyber-security community.

Some of these attacks consisted of luring security researchers to a blog where the attackers exploited browser zero-days to run malware on researchers’ systems.

While it sounds like this was a targeted state-sponsored attack, once a zero-day exploit is revealed, it is likely to be used by others in more general attacks. Prompt updating is therefore always recommended.

You can update by going to Chrome > About Google Chrome. You’ll also find there an option to switch on automatic updates, which Google recommends.

We can also soon expect a security update from Apple to fix a Sudo bug that was also a heap overflow issue.

The vulnerability, disclosed last week as CVE-2021-3156 (aka Baron Samedit) by security researchers from Qualys, impacts Sudo, an app that allows admins to delegate limited root access to other users. Qualys researchers discovered that they could trigger a “heap overflow” bug in the Sudo app to change the current user’s low-privileged access to root-level commands, granting the attacker access to the whole system.

Photo by Tima Miroshnichenko from Pexels

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear