Companies attacked last April via zero-day leak in Google Chrome

Several companies became the target of a targeted attack in April in which attackers used a zero-day leak in Google Chrome to infect systems with malware. The browser vulnerability was used in conjunction with two zero-days in Windows to break out of Chrome's sandbox and gain system privileges. That says antivirus company Kaspersky in an analysis.

The attacks were observed by the virus fighter on April 14 and 15. Kaspersky did not say which companies were the target of the attacks and where they are located. Google Chrome was up-to-date among the attacked organizations. The browser zero-day leak used could not be traced, but researchers suspect it is CVE-2021-21224.

CVE-2021-21224 was fixed by Google in the JavaScript engine on April 12. The tech company made the corresponding regress/unit test public. Using this information, a security researcher was able to uncover the underlying vulnerability and develop an exploit, which was posted online. Google fixed the vulnerability on April 20 in Chrome.

The vulnerability could allow an attacker to execute code within the browser. Just visiting a malicious or compromised website is enough for this. The zerodays in Windows make it possible to break out of Chrome's sandbox and increase permissions. The vulnerabilities in Windows are not enough on their own to compromise a system.

Kaspersky reported the two vulnerabilities, designated CVE-2021-31955 and CVE-2021-31956, to Microsoft on April 20. The tech company released security updates for Windows last night to fix the vulnerabilities.

Previous Post Next Post