Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
54,557
16,653


Google_Chrome_Material_Icon-450x450-250x250.jpg
Google has released Chrome version 88.0.4324.150 with an important fix for a zero-day vulnerability in the web browser that the company says is likely to have been exploited in the wild.

Google hasn't provided specific details about the heap buffer overflow memory corruption bug known as CVE-2021-21148, and says it won't do so "until a majority of users are updated with a fix."

However, ZDNet notes that the date on which Google says the bug was reported, January 24, is just two days after Google's Threat Analysis Group reported a hacking campaign carried out by North Korean hackers against the cyber-security community.

Some of the attacks involved luring security researchers to a blog where the attackers exploited browser zero-days to run malware on the researchers' systems. On January 28, Microsoft also reported that attackers most likely used a Chrome zero-day for their attacks.

The proximity of the two events has led security researchers to suspect that it was indeed the CVE-2021-21148 zero-day that was used in the attacks. As a result, all users are being advised to use the Chrome menu bar's About Google Chrome option to upgrade their browser to the latest version as soon as possible.

Google Chrome for Mac is a free download available directly from Google's servers. Google Chrome for iOS is a free download for iPhone and iPad available on the App Store. [Direct Link]

Article Link: Latest Chrome 88 Update Includes Important Fix for Zero-Day Vulnerability
 
  • Like
Reactions: kazmac

luvbug

macrumors 6502a
Aug 11, 2017
565
1,539
Getting closer every day!
The Brave browser has already updated the stable release to this latest Chrome build. Just FYI. Edit: "latest Chromium build", which tracks the Chrome build exactly, but excludes the closed-source bits.
 
Last edited:
  • Like
Reactions: kazmac

svanstrom

macrumors 6502a
Feb 8, 2002
787
1,732
🇸🇪
Does this zero-day vulnerability only affect Chrome, or does it affect all Chromium based browsers?
As it seems to be in the V8 engine there's at least a risk that it effects all software that uses V8; however, how it is possible to trigger the problem might make some software automatically safe(r).

Edit: https://v8.dev
 
Last edited:

ArtOfWarfare

macrumors G3
Nov 26, 2007
9,324
5,463
All Chromium browsers. If the browser is open source, it's using "Chromium", but most refer to it as a "Chrome-based" browser, even though it does NOT include Google's proprietary spyware.
What about WebKit based browsers like Safari? Is the exploit something Google added since forking for Chromium, or is it something that was separately fixed already for WebKit?
 

chucker23n1

macrumors 603
Dec 7, 2014
6,081
7,720
What about WebKit based browsers like Safari? Is the exploit something Google added since forking for Chromium, or is it something that was separately fixed already for WebKit?
If the bug is in V8, WebKit won't be affected because WebKit's JS engine was never V8. (Chrome choosing its own JS engine happened long before it forked WebKit to Blink.)

If the bug is outside V8, it is indeed possible that WebKit is affected.
 
  • Like
Reactions: ArtOfWarfare

macdos

macrumors 6502a
Oct 15, 2017
531
877
Always these "overflows", there's no end to it, it is just like Flash.

Code in apps and OSs should be rewritten from scratch with something else than C and derivatives, something that doesn't use "pointers", something that is tight from start.
 

svanstrom

macrumors 6502a
Feb 8, 2002
787
1,732
🇸🇪
Always these "overflows", there's no end to it, it is just like Flash.

Code in apps and OSs should be rewritten from scratch with something else than C and derivatives, something that doesn't use "pointers", something that is tight from start.
Not quite how reality work. There are no simple "just don't include the bugs"-ways to write software.
 

B60boy

macrumors member
Nov 25, 2014
95
225
Curious as to what others uses as a backup browsers to Safari? I'm looking to de-google thus Chrome is out, but need a Chromium browser for the occasional website where Safari doesn't place nice.
 

MysticCow

macrumors 65816
May 27, 2013
1,075
690
Google hasn't provided specific details about the heap buffer overflow memory corruption bug known as CVE-2021-21148, and says it won't do so "until a majority of users are updated with a fix."

"We have discovered a bug where Apple's tracking option will cause Chrome to crash, so we are trying to disable it!"

Internet irony might be lost on this one.
Curious as to what others uses as a backup browsers to Safari? I'm looking to de-google thus Chrome is out, but need a Chromium browser for the occasional website where Safari doesn't place nice.

Firefox with uMatrix and Facebook Container. It works wonders to clear the tracking gunk.
 
  • Like
Reactions: B60boy

mi7chy

macrumors G3
Oct 24, 2014
8,599
9,394
Curious as to what others uses as a backup browsers to Safari? I'm looking to de-google thus Chrome is out, but need a Chromium browser for the occasional website where Safari doesn't place nice.

Firefox has the benefit of being Chrome based but uses Rust programming language for memory safety to avoid buffer overflows.
 

chucker23n1

macrumors 603
Dec 7, 2014
6,081
7,720
Not quite how reality work. There are no simple "just don't include the bugs"-ways to write software.
That's true, but they're not wrong that it's time to stop writing new security-relevant code in C. (Luckily, some have started moving to Rust or Swift.)
 

MacBH928

macrumors 604
May 17, 2008
6,574
2,734
Chrome is the Flash of 2020s... Time to die spyware.
All Chromium browsers. If the browser is open source, it's using "Chromium", but most refer to it as a "Chrome-based" browser, even though it does NOT include Google's proprietary spyware.

Firefox is open source, it does not use chromium

Firefox has the benefit of being Chrome based but uses Rust programming language for memory safety to avoid buffer overflows.
Maybe you are talking about Brave? Firefox has its own source code with Gecko rendering engine?

Curious as to what others uses as a backup browsers to Safari? I'm looking to de-google thus Chrome is out, but need a Chromium browser for the occasional website where Safari doesn't place nice.

Brave my friend, set it to light mode and its near 1:1 replica of Chrome. Its Chrome without the spyware. Its open source. Its led by the prior CEO of Mozilla/Firefox , the guy that created Javascript! Its not some amateurs stuff.

You can use FireFox too.

But there is no double tap to zoom.

I actually didn't know about that and I use Safari mainly now. Recently they added pinch to zoom though.

That's true, but they're not wrong that it's time to stop writing new security-relevant code in C. (Luckily, some have started moving to Rust or Swift.)

ahhh...Are you saying programming in C is bad now? I just had the idea that C, C#, C+, C++ are super languages that if you know how to program in you are a computer genius. Don't argue you with me I am no programmer. Just an impression I had. Also, Swift works on non-Apple devices?
 

chucker23n1

macrumors 603
Dec 7, 2014
6,081
7,720
ahhh...Are you saying programming in C is bad now?

If memory safety matters, yes.

I just had the idea that C, C#, C+, C++

C+ isn't a thing, and C# is a completely different language unrelated other than syntax.

are super languages that if you know how to program in you are a computer genius. Don't argue you with me I am no programmer.

Not sure why you would even bring any of this up, then.

Just an impression I had. Also, Swift works on non-Apple devices?

It does, but yes, most Rust is more common.
 

Johnny907

macrumors 68000
Sep 20, 2014
1,611
2,763
That’s great. I was signed out of everything after the update ran and now none of my passwords auto populate. I intentionally vary my passwords across multiple sites for security reasons, so this has been a fun morning filled with trial and error login attempts.
 

MacBH928

macrumors 604
May 17, 2008
6,574
2,734
That’s great. I was signed out of everything after the update ran and now none of my passwords auto populate. I intentionally vary my passwords across multiple sites for security reasons, so this has been a fun morning filled with trial and error login attempts.
use a password manager, I recommend 1password. I hear good things about BitWarden. Some people like Keychain.

Safari is so bad under Big Sur that I'm considering Chrome for the first time

Brave(ungoogled Chrome) or FireFox
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.