Written by Sean Lyngaas
Google has released an urgent software update for a flaw in the popular Chrome browser amid reports that an exploit for the bug is already available.
The vulnerability is in Blink, the feature that Chrome uses to convert HTML code to web pages, and could allow an attacker to execute code remotely or conduct a denial-of-service attack on a machine, according to IBM. An anonymous researcher reported the issue to Google on March 9, and the company released a fix for the bug on March 12.
It’s the third so-called zero-day, or previously unknown, vulnerability that Chrome has addressed this year. It’s an example of the high-stakes cat-and-mouse game between attackers searching for holes in popular software and vendors moving to plug them.
In a blog post, Google Chrome’s Prudhvikumar Bommana did not offer additional details on the bug. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” he wrote, adding that Google was aware of reports that the vulnerability had been exploited in the wild
Vulnerabilities in popular web browsers can be particularly valuable to spies, allowing them to cast a vast surveillance net from which to pluck individual targets. Such was apparently the case when hackers used three zero-days in Internet Explorer to target people working on North Korean issues in 2019 and 2020.
It was not immediately clear which hackers were exploiting the new Blink vulnerability.