Google specialists have released a new version of the Chrome browser (89.0.4389.128) for Windows, macOS and Linux, fixing two vulnerabilities, for one of which there is already a PoC code, and the second is actively exploited in attacks.
As a reminder, security researcher Rajwardhan Agarwal published a working exploit for exploiting CVE-2021-21220 by reverse engineering the patch in the source code of the browser component. Agarwal also reported another vulnerability affecting Chromium-based browsers. The issue has been fixed in other browsers, however the latest release of Chrome remains vulnerable to attacks.
“The problems are different in nature, both of them can be used to remotely execute code during rendering,” the specialist explained.
Another vulnerability, CVE-2021-21206 , is a post-release exploit issue in the Blink browser engine for Chromium. According to Google, it is already being used in real attacks, but the company, as usual, does not disclose the details until the majority of users have installed the update.