Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine
Posted: Mon Apr 19, 2021 1:08 am
Chrome and Chromium updated after yet another exploit is found in browser's V8 JavaScript engine
JS component seems to be focus of researchers and miscreants alike
The Register (UK) - Wed 14 Apr 2021
Google has announced new updates to Chrome 89 following the discovery of yet another live exploit for a vulnerability in the V8 JavaScript engine.
One of the flaws affects V8, which in January was found to suffer from a heap overflow bug severe enough to prompt a round of updates. This time round the V8 vulnerability is accompanied by a use-after-free vuln in Chrome's rendering engine Blink.
The Blink vuln was discovered during the Zero Day Initiative's Pwn2Own competition last week. No proof-of-concept code has yet been released by legitimate sources, though a very short gif of it in action was published on Twitter by bug hunters Dataflow Security.
Nonetheless, Google warned in its update notes for the new browser version, 89.0.4389.128, that exploits for CVE-20201-21206 (Blink) and CVE-2021-21220 (V8) "exist in the wild." It is also common for increasingly advanced criminals to reverse-engineer patches to figure out what they protect against, as vividly highlighted by SAP last week. Having done so, crims then rush out to target unpatched deployments.
Both CVEs were said by Google to be "high" severity, though scoring details and schema were not given. The V8 vuln, explained only as "insufficient validation of untrusted input in V8 for x86_64," is noteworthy because it seems to be an increasing focus for researchers and malicious folk alike; back in January a Chrome update was prompted after live exploits were seen in the wild for a V8 heap corruption vuln.
Article continues at:
https://www[dot]theregister[dot]com/2021/04/14/chrome_chromium_updates_v8_cve_javascript/
JS component seems to be focus of researchers and miscreants alike
The Register (UK) - Wed 14 Apr 2021
Google has announced new updates to Chrome 89 following the discovery of yet another live exploit for a vulnerability in the V8 JavaScript engine.
One of the flaws affects V8, which in January was found to suffer from a heap overflow bug severe enough to prompt a round of updates. This time round the V8 vulnerability is accompanied by a use-after-free vuln in Chrome's rendering engine Blink.
The Blink vuln was discovered during the Zero Day Initiative's Pwn2Own competition last week. No proof-of-concept code has yet been released by legitimate sources, though a very short gif of it in action was published on Twitter by bug hunters Dataflow Security.
Nonetheless, Google warned in its update notes for the new browser version, 89.0.4389.128, that exploits for CVE-20201-21206 (Blink) and CVE-2021-21220 (V8) "exist in the wild." It is also common for increasingly advanced criminals to reverse-engineer patches to figure out what they protect against, as vividly highlighted by SAP last week. Having done so, crims then rush out to target unpatched deployments.
Both CVEs were said by Google to be "high" severity, though scoring details and schema were not given. The V8 vuln, explained only as "insufficient validation of untrusted input in V8 for x86_64," is noteworthy because it seems to be an increasing focus for researchers and malicious folk alike; back in January a Chrome update was prompted after live exploits were seen in the wild for a V8 heap corruption vuln.
Article continues at:
https://www[dot]theregister[dot]com/2021/04/14/chrome_chromium_updates_v8_cve_javascript/