Zero-Day Google Chrome Exploit

The zero-day was described as a “heap overflow” memory corruption bug in the V8 JavaScript engine. Google said that the bug was exploited in attacks during the period before a security researcher named Mattias Buelens reported the issue to its engineers on January 24th. Google’s security team published a report about attacks carried out by North Korean hackers against the cyber-security community. Some of these attacks consisted of luring security researchers to a blog where the attackers exploited browser zero-days to run malware on researchers’ systems.

CVE identified- CVE-2021-21148

How does this exploitation work?

  • A heap-buffer overflow is a flaw as its name suggests, is a type of buffer-overflow error. This is a class of vulnerability where the region of a process’ memory is used to store dynamic variables (the heap) that can be overwhelmed.
  • When a buffer-overflow occurs, it typically causes the affected program to behave incorrectly, causing memory access errors and crashes and opening the door to remote code execution.
  • Beyond classifying the flaw as a heap-buffer overflow, Google did not specify the potential impact of this vulnerability. In fact, details of the bug overall (including how it can be exploited) remain scant while Google works to push out the fixes.
  • The heap-buffer overflow error exists in V8, an open-source WebAssembly and JavaScript engine developed by the Chromium Project for Google Chrome and Chromium web browsers. V8, which is written in C++, can run stand-alone, or can be embedded into any C++ application.

Effects of the exploitation

  • The flaw is only the latest security issue in Google Chrome in recent months. In January, the Cybersecurity and Infrastructure Security Agency (CISA) urged Windows, macOS and Linux users of Google’s Chrome browser to patch an out-of-bounds write bug (CVE-2020-15995) impacting the current 87.0.4280.141 version of the software.
  • In December, Google updated Chrome to fix four bugs with a severity rating of “high” and eight overall. Three were use-after-free flaws, which could allow an adversary to generate an error in the browser’s memory, opening the door to a browser hack and host computer accommodation.

How was this vulnerability used in the wild?

  • Based on the timing of the discovery (January 24) and this report by Google’s Threat Analysis Group (TAG) issued on January 26, the general assumption is that the attack was used against security researchers working on vulnerability research and development at different companies and organizations.
  • To connect and gain trust among security researchers, the actors created a research blog and multiple Twitter profiles to interact with potential targets.
  • One of the methods the attackers used was to interact with the researchers and get them to follow a link on Twitter to a write-up hosted on a malicious website.
  • Shortly after the visit, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin to communicate with a command and control (C&C) server. This sure sounds like something that could be accomplished using a heap buffer overflow in a browser.

Remedies

  • Google Chrome users can go to chrome://settings/help by clicking Settings > About Chrome.
  • The latest version available is88.0.4324.150 and was released with the fix.
  • Users can then relaunch the browser to complete the update
  • Before 2021’s patches, Google went through a spell last year where it patched five actively-exploited Chrome zero-days in a span of three weeks.