Google Fixed two Vulnerabilities in Chrome, Including 0Day

PoC code already exists on the web to exploit one of the patched vulnerabilities.

Google specialists have released a new version of the Chrome browser (89.0.4389.128) for Windows, macOS and Linux, fixing two vulnerabilities, for one of which there is already a PoC code, and the second is actively exploited in attacks.

In the first case, we are talking about the vulnerability CVE-2021-21220 in the rendering JavaScript engine V8, demonstrated by experts as part of the Pwn2Own 2021 competition.

As a reminder, security researcher Rajwardhan Agarwal published a working exploit for exploiting CVE-2021-21220 by reverse engineering the patch in the source code of the browser component. Agarwal also reported another vulnerability affecting Chromium-based browsers. The issue has been fixed in other browsers, however the latest release of Chrome remains vulnerable to attacks.

“The problems are different in nature, both of them can be used to remotely execute code during rendering,” the specialist explained.

Another vulnerability, CVE-2021-21206 , is a post-release exploit issue in the Blink browser engine for Chromium. According to Google, it is already being used in real attacks, but the company, as usual, does not disclose the details until the majority of users have installed the update.