Author Topic: Another Chrome zero-day exploit  (Read 633 times)

0 Members and 1 Guest are viewing this topic.

Offline Jason

  • Administrator
  • Master
  • *****
  • Posts: 4071
  • Humanist. Skeptic. Husband.
Another Chrome zero-day exploit
« on: June 20, 2021, 04:37:46 pm »
This zero-day vulnerability was found a few days ago as reported by Bleeping Computer. This one affects Windows, Macs and Linux. The article notes that "Successful exploitation of this vulnerability could lead to arbitrary code execution on computers running unpatched Chrome versions". This may affect any browser that is based on Chromium or Chrome code like Brave, for example.

Zero-day refers to the amount of time that has passed since a vulnerability was found and fixed. Usually, you hear about patches when the announcement is released to give the company some time to fix it. A Zero-day vulnerability means it was just found and a patch isn't available. A zero-day exploit refers to code that miscreants are running to control the program and the resources it has access to.

Companies with a lot of resources like Google can patch them fairly quickly and a patch has been released for this one. If you use Chrome, you can check to see if it's been patched by looking at the version number. The attached screenshot shows how you check the version number (for Chromium) and what you'll see when you do. If it's 91.0.4472.114 or above, it's been patched. If not, run your update program in the browser (in Windows or Mac) or in the browser itself.

If there isn't a patch for it, be very careful about visiting unknown or untrusted sites and check the URL carefully to make sure you're actually at a legitimate site. You should anyway but when your browser is unpatched be especially on guard. For example, you could get an email that looks like it's from your bank or PayPal or whatever. And when you go there, it looks just like the site you expect, but it's not. You go to it and it runs code to take over your browser or your computer entirely. If your browser doesn't have the patch yet, there isn't much you can do other than that. I'm using Xubuntu 20.04 and it hasn't been patched yet in Brave which is based on Chromium code (which also has the vulnerability). I expect it will be soon.

Our members are unlikely to fall for this but you might want to tell your less technically-inclined family and friends, to check the version number if they're using Chrome or a Chrome-based browser because they're more likely to fall for this exploit. You might also want to show them how to tell when the website address is a fake version of the one they expect (e.g. their bank). There's a lot of things to check so they may not read it all, but at the very least they should do steps 2 and 3 and 4 if possible.

What bothers me is I had heard of one or two other zero-days in Chrome/Chromium but I didn't realize that this is the 7th one this year! Yikes!
« Last Edit: June 20, 2021, 04:46:52 pm by Jason »
"With all its sham, drudgery, and broken dreams, it is still a beautiful world." - Max Ehrmann, Desiderata