Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.
Details of Chrome Zero-Day flaw CVE-2021-21193
Date
Zero-Day flaw in the Chrome web browser for Windows, Macintosh, and Linux computers
A zero-day flaw has been found in the Chrome web browser used on Windows, Macintosh, and Linux computers. The flaw (CVE-2021-21193) ranks 8.8 out of 10 on the CVSS vulnerability-rating scale, making it high-severity. The flaw is exploited if a user is running Google Chrome and clicks on a malicious link that goes to a specially crafted website that exploits the flaw (for example, by executing malicious code or even cause a denial-of-service attack on the system).
Google has released an update that addresses this vulnerability (version 89.0.4389.90). Most Chrome browser will auto-updated and the update requires the browser to be restarted.
Considering the disclosed vulnerabilities, you should update your Chrome browser to the latest version (at least 89.0.4389.90) as soon as possible. This update includes 5 security fixes.
Double-check your Chrome Browser is up-to-date
Chrome will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.
In Chrome, click on Settings then About Chrome
If an update is available, Chrome will show that here and then start the download process. When it's completed, it will ask to relaunch the browser to complete the update.
If the browser is up-to-date, it will say "Google Chrome is up to date" and list the version number. Make sure it's at least 89.0.4389.90
Additional Details
The vulnerability exists in Blink, the browser engine for Chrome.
Browser engines convert HTML documents and other web page resources into the visual representations viewable to end users. The flaw (CVE-2021-21193) ranks 8.8 out of 10 on the CVSS vulnerability-rating scale, making it high-severity. It’s a use-after-free vulnerability, which relates to incorrect use of dynamic memory while using the browser. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program. (reference: https://threatpost.com/google-mac-windows-chrome-zero-day/164759/).
Please see the Chrome Security Page for more information.