Advertisement

Google rushes out fix for another Chrome zero-day flaw

It’s the third previously unknown vulnerability that Chrome has addressed this year.
chrome extension
(Stephen Shankland / Flickr)

Google has released an urgent software update for a flaw in the popular Chrome browser amid reports that an exploit for the bug is already available. 

The vulnerability is in Blink, the feature that Chrome uses to convert HTML code to web pages, and could allow an attacker to execute code remotely or conduct a denial-of-service attack on a machine, according to IBM. An anonymous researcher reported the issue to Google on March 9, and the company released a fix for the bug on March 12.

It’s the third so-called zero-day, or previously unknown, vulnerability that Chrome has addressed this year. It’s an example of the high-stakes cat-and-mouse game between attackers searching for holes in popular software and vendors moving to plug them.

In a blog post, Google Chrome’s Prudhvikumar Bommana did not offer additional details on the bug. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” he wrote, adding that Google was aware of reports that the vulnerability had been exploited in the wild

Advertisement

Vulnerabilities in popular web browsers can be particularly valuable to spies, allowing them to cast a vast surveillance net from which to pluck individual targets. Such was apparently the case when hackers used three zero-days in Internet Explorer to target people working on  North Korean issues in 2019 and 2020.

It was not immediately clear which hackers were exploiting the new Blink vulnerability.

It’s been a busy few weeks for Chrome’s security team. On March 2, Chrome released a fix for another critical bug in the browser’s audio component. And just weeks earlier, Chrome issued a patch for a flaw in the browser’s JavaScript engine.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts