Researchers have found a critical vulnerability, CVE-2021-21148, in Google Chrome. We recommend addressing it as soon as possible because cybercriminals are already exploiting it. Browser versions for major desktop operating systems (Windows, MacOS, and Linux) are all vulnerable. Here’s what’s going on, and how to update your browser.
Why CVE-2021-21148 is dangerous
The vulnerability lets cybercriminals perform a heap overflow attack — a manipulation that can lead to remote code execution on a victim’s device. Exploiting the vulnerability can be as simple as crafting a malicious Web page and luring victims to it, but as a potentially devastating result, they can gain total control over the affected system.
According to a ZDnet article, the vulnerability may be connected to recent hacker attacks out of North Korea on the cybersecurity expert community. At least, the attack pattern bears striking similarities to the exploitation of CVE-2021-21148. Also, the date of the vulnerability’s discovery is very close to the date on which the attacks on experts were disclosed. However, we do not yet have direct confirmation of this theory.
As usual, Google is waiting until most active Chrome users have updated their browsers to disclose more technical details. That is understandable; irresponsible vulnerability disclosure can lead to a rapid increase in attacks.
How to stay safe
- Immediately update Google Chrome on your PC. To do so, click the button with three dots in the upper right corner of the browser window and choose Settings → About Chrome. Once you open this page your browser will start updating automatically.
- Restart the browser if prompted for the changes to take effect. Do it right away, and don’t worry about losing open tabs; modern versions of Chrome either automatically restore the tabs on relaunch or, in the event of an unexpected shutdown, offer to restore them.
- If Chrome’s About page indicates you’re already using version 88.0.4324.150, then your browser is up to date and you no longer have to worry about CVE-2021-21148.