Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code.
Patch now, we said.
And we’re saying it again, following Google’s otherwise cheery release of version 89.0.4389.72:
The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.
We’ve never quite understood Google’s mention of rolling out updates over “days/weeks” in an update bulletin that includes 47 security fixes, of which eight have a severity level of High.
In fact, we suggest going out manually and making sure you’ve got your Chrome update already, without waiting for those day/weeks to elapse until the update finds you.
If you’re using a Chromium-based product from another browser maker, check with that vendor for information about whether their build is affected by this bug, and if so whether the patch is downloadable yet.
Object lifecycle issue in audio
Two of the eight High Severity bugs in this set of patches were apparently found in the same part of Chrome, denoted in Google’s list merely as: Object lifecycle issue in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Research.
The first bug is numbered CVE-2021-21165, reported on 2021-02-04, a month ago; the second was dubbed CVE-2021-21166, reported a week after that on 2021-02-11.
An object lifecycle issue is a jargon way of referring to what probably amounts to some kind of memory mismanagement.
The word “object” refers, very loosely, to a block of memory containing some sort of data structure, together with a list of associated programmatic functions for manipulating that data.
Managing an object’s lifecycle means, amongst other things:
- Ensuring that the memory it uses is reclaimed by the system when the object is no longer needed.
- Taking care not to reclaim and reallocate the memory while the object is still being used.
- Not doing any calculations on the object before its memory has been assigned and initialised.
- Not doing the wrong sort of calculations on the data in an object, such as trying to treat a JPEG file as a PNG, or assuming that an audio clip has 16 bits per audio sample when it only has 8 bits.
- Stopping two different parts of the program from clashing over access to the object.
Exploit in the wild
We don’t know what form these particular bugs took, given that the Chromium team’s discussion of the bugs in this release still seems to be in “keep-it-private-to-stave-off-the-crooks-a-while-longer” mode.
But we do know that at the end of this month’s bug list you will see an almost casual sentence saying that:
Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild.
In vernacular language, that means “this is a zero-day bug.”
In this context, “zero-day” denotes that the crooks got there first, so that there were literally zero days on which even the fastest-patching sysadmin could have been ahead of the Bad Guys.
Who’s exploiting this bug, in which parts of the world, against whom, and with what sort of outcome, we don’t yet know.
We’re assuming that some sort of remote code execution attack (RCE) is involved, in which case this bug, when successfully triggered, could lead to crooks implanting malware on your computer without you noticing at all, let alone agreeing to download or install any files.
We’re also assuming, given that this bug apparently has something to do with audio processing, that the bug can be deliberately and remotely triggered by serving up some audio-related data via a booby-trapped web page.
What to do?
As always in a zero-day report of this sort, don’t worry too much about the exact hows and whys just yet – assume that some kind of “drive-by” RCE is possible, so that just visiting a booby-trapped site might be enough to drop malware onto your computer, and therefore patch right away.
To check what version you have, click the three-lines icon (the “hamburger menu”) in the top right corner.
For Chrome, go to Help > About Chrome. For Chromium simply click About Chromium.
(In either browser, you can also put the special URL chrome://settings/help into the address bar.)
The version you are looking for is 89.0.4389.72 or above.
If you aren’t up-to-date, use the Update Google Chrome option on Windows or Mac to force an update.
If you’re on Linux and your version of Chrome or Chromium is provided by your distro maker, check back with your distro for update details.
Note: If you are using Microsoft Edge, which is based on the Chromium source code but has a different version number sequence, the version to look for is 89.0.774.45 or above.
Paul Ducklin
Hi, folks. I know this is rather the wrong way round, the author asking in his own comments for advice, but…
…I’ve got Microsoft Edge on Linux (Chromium based, still in development mode so not a stable release) and the latest update is dated “today” according to US clocks (it’s still 2021-03-03 over there), and numbered 90.0.810.1.
Can anyone with more of an insider view than I cast any light on whether this version of the Edge codebase needs the CVE-2021-21166 patch, and if so whether it received it? Can’t find anything definitive myself so far…
James
Am also running that version of Edge (Linux beta on Chromebook), Linux beta on Chromebook is a bit rough, but Edge works as good as Chrome on it. I also use a Microsoft mouse on my Chromebook and Office Online, that company does do some things well :-) One Drive android app even incorporates itself into Chromebook File explorer (read only).
I got that Edge version after the Chrome update so hopefully it is patched. Be interesting to know how many readers are using Edge and on what OS?
A question for you Paul, I was using Sophos Home (free version, sorry :-P ) on a Win7 Laptop, was trying to use Chrome to upload files to One Drive, didn’t seem to work. I noticed I had peer to peer set to warn in web filtering, would this use of one drive count under that?
Paul Ducklin
Not sure about the Sophos Home question, I’m afraid. (You could try turning peer-to-peer off and on and seeing if the issue goes away and then comes back.) You might find some pointers on the Sophos Home Support page: https://support.home.sophos.com/hc/en-us
James
https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#march-4-2021
Paul Ducklin
Excellent! Thanks for the link. In that 2021-03-04 update note:
“Microsoft has released the latest Microsoft Edge Stable Channel (Version 89.0.774.45) […] This update [deals with] CVE-2021-2116.”
Paul Ducklin
Added this info to the main article – thanks!
Larry Marks
Google seems to stage the updates out, either due to server capacity or to minimize the effects of a bad update. Sometimes the invite doesn’t show up for a while. When there’s a zero-day like this one, you can force the update before you’re invited (“Update Available” button at the upper right). But they hide it–it’s not easy to find. The hiding place is:
Settings–>Safety Check–>Updates, starting at the sandwich menu.
This is valid for Windows 10, X64.