Google Patches Active Zero-Day Chrome Exploit

Philip BaderVulnerabilitiesLeave a Comment

If you use the Google Chrome web browser, don’t wait for your next automatic update. Do it manually, and do it now. The new release includes a security patch for what Google described as a heap buffer overflow in V8 in a blog post on February 4. This memory corruption vulnerability, dubbed CVE-2021-21148, was discovered by a researcher late last month.

Google didn’t specify how this vulnerability had been exploited. But a report last month by Google’s Threat Analysis Group suggests there might be a connection to recent attacks on cybersecurity researchers by North Korean hackers.

Buffer overflow vulnerabilities take advantage of the way memory stores and allocates data. When a buffer exceeds its capacity, data spills out into adjacent memory space. When it does, it overwrites the data that resides in this adjacent space. Overflows can often result in a computer crash. But they can also create an entry point for malicious actors.

Some Background

Application security firm Veracode offers some useful background on buffer overflow and how it can be exploited. Not all programming languages are prone to buffer overflow problems. But buffer overflows in applications written in C++, one of the languages used in Google Chrome, can often be exploited.

Attackers can exploit buffer overflows by injecting malicious code into affected areas of memory that can allow unauthorized access to the system or trigger other specific actions. In one example cited by Veracode, a coding error failed to clearly define the array for a password that would grant system access.

In this example, the error was exploited when an attacker specified a password value greater than the buffer could contain. The resulting overflow corrupted the password instructions and allowed the attacker to receive root privileges by entering an incorrect password. An incorrect password should have prevented access, but those instructions were corrupted by the buffer overflow.

The North Korean Connection

On January 25, Google’s Threat Analysis group announced its discovery of a new campaign that targeted cybersecurity researchers working specifically on vulnerability research. Google said North Korean hackers had for months been using profiles on prominent social media platforms to contact security researchers using fake profiles.

“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” said one of Google’s TAG researchers in the announcement. The VB project contained malware that was later linked to the Lazarus Group, a North Korean state-sponsored group.

In some cases, security researchers were directed to a blog site that featured posts on previously published vulnerabilities in an effort to appear credible. Once there, malicious code was installed on visitors’ computers. The code installed an in-memory backdoor on systems using Windows 10 and Google Chrome browsers. Some analysts see a connection between the documented North Korean attack and this week’s Chrome patch, though Google has so far drawn no explicit relationship between them.

The Anatomy of Zero-Day Exploits

Zero-Day vulnerabilities are important primarily because they are active vectors of attack that capitalize on unknown hardware or software flaws. Cybersecurity firm FireEye has a useful vulnerability timeline for zero-day attacks. Developers create software that contains a security flaw. Threat actors spot it and create exploit code. The release of the exploit makes the vulnerability known, and developers issue a patch to prevent future attacks.

The SolarWinds hack, uncovered in December last year, involved malware strains that took advantage of zero-day vulnerabilities. FireEye was the first to identify the threat after its own systems were targeted. The massive SolarWinds supply chain attack compromised users across numerous sectors, including top U.S. government agencies, energy and telecoms organizations, and major tech companies including Microsoft.

SolarWinds has released updated software to counter the vulnerabilities, but security experts continue to uncover new details and consequences of the attack. It’s believed that Russian actors first gained access to SolarWinds’ Orion software platform in March 2020. For the better part of a year, they monitored compromised systems without being detected. The time between deployment of a zero-day exploit and a developer’s patch can sometimes be years.

Whether vulnerabilities are known or unknown, protecting yourself from attack requires constant attention. Keeping your software regularly updated is a good start. But SecureData knows that true protection requires a multilayered approach. Our data security solutions are rooted in hardware-encrypted storage, offline backup systems, remote drive management, and solid endpoint security.

To learn more about how SecureData can help you implement a comprehensive data security solution, call us at 1-800-520-1677.