If you use Google Chrome, you need to stop reading this and update your browser this very second.
Google on Thursday released the latest update to its popular browser (version 88.0.4324.150), which patches a critical zero-day vulnerability that hackers have already exploited.
A zero-day vulnerability is, basically, an exploitable flaw that the software maker doesn’t know about and thus cannot issue a patch. In this case, Google said, the vulnerability was a “heap buffer overflow” flaw in the V8 JavaScript engine, which powers Chrome.
[referenced id=”1667317″ url=”https://gizmodo.com.au/2021/01/north-korean-hackers-successfully-phished-cyber-researchers-using-a-fake-blog/” thumb=”https://gizmodo.com.au/wp-content/uploads/2021/01/27/oyf0vniybmlyjqqjbtkr-300×169.jpg” title=”North Korean Hackers Successfully Phished Cyber Researchers Using a Fake Blog” excerpt=”A recent phishing campaign by North Korean nation-state hackers successfully duped a number of security professionals who were involved in vulnerability research and development, according to a new report from Google’s Threat Analysis Group.”]
Google said the vulnerability, dubbed “CVE-2021-21148,” was reported to the company on Jan. 24 by software developer Mattias Buelens. “Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” the company said.
While Google didn’t expand on what those “reports” are, the day after Buelens filed the bug report, Google’s Threat Analysis Group published a report detailing a campaign by what they believe were North Korean nation-state hackers against a slew of cybersecurity professionals. Three days later, on Jan. 28, Microsoft security researchers published their own report, further detailing the hacking campaign by the hacking group, which they dubbed “ZINC” and is also known as “Lazarus.”
Hopefully, the new Chrome patch locks out those hackers and anyone else who knew about the CVE-2021-21148 zero-day. (Again, it’s possible they exploited a different vulnerability, but the timing of all these reports suggest they’re connected.) Regardless, Chrome users should make sure to update the browser immediately.
To check for Chrome updates, click on Chrome in the menu, then About Google Chrome, or simply put chrome://settings/help in the address bar.