Chrome 88 update patches a zero-day that is being actively exploited

Google Chrome’s autoupdate feature means we don’t usually need to think about being on the latest version, but occasionally users will want to take a break and make sure they’re upgraded — this is one of those days. The version of Chrome 88 rolling out now for Windows, Mac and Linux (88.0.4324.150) addresses one item, but it’s a big one.

According to a blog post, security researcher Mattias Buelens reported a vulnerability in Chrome’s WebAssembly and JavaScript engine V8, which could allow an attacker to execute code on a victim’s computer. Google didn’t go into detail about the problem, tagged CVE-2021-21148, but said it’s aware of reports the bug is already being exploited in the wild, so update immediately.

In a note, Google said “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.” As a result we don’t know what exploit this is tied to, but ZDNet notes the timing puts it close to revelations about a campaign carried out by North Korean hackers that targeted security researchers, which may have relied on zero-day exploits in Chrome and Internet Explorer.

Regardless of where or how the bug is being exploited, you’ll still want to update your browser (and keep an eye out for fixes to other potentially affected software, like other Chromium-based browser) right away. As ZDNet and BleepingComputer noted, this occasionally happens. A notable fix in 2019 required a restart to for the fix to take effect, and there was a stretch last fall where, in one month, Google addressed five zero-days that were being actively exploited.