A patch has been issued in version 88 of Google’s Chrome browser — specifically, version 88.0.4324.150 for Windows, Mac and Linux.
“Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” cited from Google’s Thursday security update.
Reportedly used to target security researchers
A report by Google researchers revealed that hackers linked to North Korea were targeting security researchers with an elaborate social-engineering campaign that set up trusted relationships with them — and then infected their organizations’ systems with custom malware.
“One of the methods the attackers used was to interact with the researchers and get them to follow a link on Twitter to a write-up hosted on a malicious website,” said researchers with Malwarebytes.
“Shortly after the visit, a malicious service was installed on the researcher’s system and an in-memory backdoor would begin to communicate with a command and control (C&C) server. This sure sounds like something that could be accomplished using a heap buffer overflow in a browser.”
However, Google has not confirmed any correlation with this attack.