Google has confirmed that it is aware of reports that a zero-day Chrome browser exploit exists in the wild. A zero-day vulnerability remains a relatively rare event in cybersecurity terms, and as such is both a valuable and dangerous thing in the hands of threat actors. The term relates to a vulnerability that is actively exploited by hackers before it has been discovered by either the product vendor or the threat intelligence community. Only at the point of discovery, day zero, can mitigation efforts begin. This leaves the threat window wide open, often for weeks or months, to the attackers with that head start.
Chrome 88 fixes a zero-day vulnerability known as CVE-2021-21148. It was reported by security researcher Mattias Buelens back on Jan. 24, but Google discovered it was being exploited by hackers before the vulnerability could be patched out of the browser.
Our security team is recommending both end users and IT administrators to apply the necessary Chrome updates as soon as possible. These updates are for Windows, Mac and Linux versions of the Chrome browser, and those browsers such as Edge which are built using the same Chromium platform, will be rolling out "over the coming days and weeks," according to Google. The patched Chrome version to look out for is 88.0.4324.
Automatic updating ensures that Chrome is updated to the latest version once the browser is restarted. Of course, not everyone will have automatic updates enabled, and not all of those who do will reboot Chrome on a regular basis.