[German]Google developers have updated the Chrome browser to version 88.0.4324.150 as of February 4, 2021 in the desktop version for Linux, macOS and Windows. This security update fixes a critical vulnerability in the older browser versions. Microsoft has also released Edge 88.0.705.62, which fixes seven vulnerabilities. And Internet Explorer also has a 0-day vulnerability. Addendum: An update to Edge 88.0.705.63 is available since Feb. 5, 2021.
Advertising
Chrome 88.0.4324.150 fixes a critical vulnerability
The Google blog has this post on Chrome 88.0.4324.150, which states a closed vulnerability for the desktop:
[$TBD][1170176] High CVE-2021-21148: Heap buffer overflow in V8. Reported by Mattias Buelens on 2021-01-24
Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild. So the browser should be updated quickly. The Chrome build for Windows, Mac and Linux will be rolled out to systems via the automatic update feature over the next few days. However, you can also download this build here.
ZDNet points out in this article that North Korean hackers are believed to have attacked security researchers via a 0-day vulnerability in Google Chrome. Microsoft has published this article about it.
0-day vulnerability in Internet Explorer
In addition, there is a Korean article in which security researchers announce a discovered 0-day vulnerability in Internet Explorer, which is also used for such attacks. Bleeping Computer has this post on the topic. So far Microsoft has not announced anything regarding an update.
Edge 88.0.705.62 fixes seven vulnerabilities
As of February 4, 2021, Microsoft has updated the Chromium-based Edge browser to version 88.0.705.62. This version is based on Chrome 88.0.4324.146, according to this MS page. This is a security update that fixes seven vulnerabilities, according to this Microsoft security page.
- CVE-2021-24113: (HTML-based) Security Feature Bypass Vulnerability
- CVE-2021-21143: Heap buffer overflow in Extensions
- CVE-2021-21142: Use after free in Payments
- CVE-2021-21144: Heap buffer overflow in Tab Groups
- CVE-2021-21145: Use after free in Fonts
- CVE-2021-21146 : Use after free in Navigation
- CVE-2021-21147: Inappropriate implementation in Skia
The browser should be updated automatically.
Advertising
Microsoft released Edge 88.0.705.63
Addendum: Microsoft has released Edge 88.0.705.63 on February 5, 2021. I received the following advisory this night:
*******************************************************************************
Title: Microsoft Security Update Releases
Issued: February 5, 2021
*******************************************************************************
Summary
=======
The following CVEs have been released on February 4, 2021.
* CVE-2021-24113
– CVE-2021-24113 | Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability
– https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24113
– Version 1.0
– Reason for Revision: Information published.
– Originally posted: February 4, 2021
– Updated: N/A
– Aggregate CVE Severity Rating: Important
The following CVEs released on February 4, 2021 and February 5, 2021 were assigned by Chrome. Microsoft Edge
(Chromium-based) ingests Chromium, which addresses these vulnerabilities. Please see
Google Chrome Releases (https://chromereleases.googleblog.com/2021) for more information.
See
https://msrc-blog.microsoft.com/2021/01/13/security-update-guide-supports-cves-assigned-by-industry-partners/
for more information about third-party CVEs in the Security Update Guide.
* CVE-2021-21148
Revision Information:
=====================
– Version 1.0
– Reason for Revision: Information published.
– Originally posted: February 5, 2021
* CVE-2021-21142
* CVE-2021-21143
* CVE-2021-21144
* CVE-2021-21145
* CVE-2021-21146
* CVE-2021-21147
Revision Information:
=====================
– Version 1.0
– Reason for Revision: Information published.
– Originally posted: February 4, 2021
