Earlier today, Google pushed an unplanned update patch for Chrome browsers on Windows, macOS, and Linux platforms. It will fix the CVE-2021-4102 high-risk zero-day vulnerability that is currently being widely used.
Chrome Patch
Google revealed that the vulnerability belongs to Use-After-Free and comes from the Chrome V8 JavaScript engine. It is because of the incorrect use of dynamic memory during program operation.
Also Read: Most Popular Google Chrome Extensions In 2021
If after releasing the memory location, the program does not complete the cleaning of the pointer that points to it, the attacker can use the vulnerability to complete the intrusion of the program.
After that, the attacker can execute arbitrary code and get out of the control of the Chrome browser security sandbox.
However, until most users complete the version update, Google will not disclose the specific triggering principles and details of the vulnerability.
Chrome browser users ought to update to version 96.0.4664.110 immediately.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.
Though the Chrome patch has a long changelog, it mainly fixes 5 bugs:
[$NA][1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26
Gizchina News of the week
[$5000][1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16
[$5000][1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19
[$TBD][1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair on 2021-10-21
[$TBD][1278387] High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09
What is Zero-day Vulnerability
First, about this vulnerability talked the security team from Alibaba. As they described, Apache Log4j2 is a Java-based logging tool. The latter is capable of rewriting the Log4j framework. The log framework is widely used in business system development to record log information.
“In most cases, developers may write error messages caused by user input into the log. Attackers can use this feature to construct special data request packets through this vulnerability, and ultimately trigger remote code execution.”
They also added that “Vulnerability exploitation does not require special configuration. After verification by the Alibaba Cloud security team, Apache Struts2, Apache Solr, Apache Druid, Apache Flink, etc. are all affected. “
Alibaba Cloud Emergency Response Center recommended Apache Log4j2 users to take security measures as soon as possible. The level of vulnerability is Serious (Critical). “