Digging Into the Third Zero-Day Chrome Flaw of 2021

Hidden deep in Google’s release notes for the new version of Chrome that shipped on March 1 is a fix for an “object lifecycle issue.” Or, for the less technically inclined, a major bug.

Bugs like these have been common in Chrome, leading some to wonder whether the world’s most popular web browser is as safe as it could be? Google created Chrome as a secure browser and has loaded it with a growing set of security features along the way. Unfortunately, there has also been a history of security problems. This has been highlighted this year, because in just the last three months there have been three zero-day flaws discovered in Chrome. A rate of one flaw a month is … not great.

That said, Chrome is in the unique position of being (by far) the most used web browser. Therefore, far more people are looking for bugs in it than almost any other piece of software. Given that, perhaps it’s not surprising that flaws often turn up. In this article we’ll look at the latest 2021 zero-day flaw and what it tells us about the security of Chrome as a whole.

Another Zero-Day Flaw

Let’s examine this recent flaw. It was being tracked as CVE-2021-21166 and was one of a group of flaws reported to Google by Alison Huffman of Microsoft Browser Vulnerability Research on February 11. Though both Microsoft and Google were careful not to release too many details of the vulnerability – lest it be exploited by criminals – it was one example of a related set of flaws that stem from the way that Chrome handles audio.

Eagle-eyed readers will notice, of course, that this means that the flaw was reported almost a month before Google released a patch for it. This kind of vulnerability, which is known to the software vendor but does not yet have a security fix, is known as a zero-day vulnerability. These kinds of vulnerabilities are particularly dangerous – because they are often exploited by cybercriminals – and have also affected Chrome to a high degree.

This was explicitly noted by a number of analysts, and by Google itself, in relation to the most recent flaws. Google was honest, at least, about the danger posed by this problem – “Google is aware of reports that an exploit for CVE-2021-21166 exists in the wild,” Chrome Technical Program Manager Prudhvikumar Bommana said.

A History of Vulnerabilities

The browser has been affected by more than a few zero-day flaws recently. Google resolved five Chrome zero-days that were actively exploited in the wild in a span of one month between October 20 and November 12 last year.

Two of these flaws affected the way that the browser implements Java. Unlike the most recent vulnerabilities, these were found by anonymous contributors to Google’s bug reporting project. Like the most recent flaws, it took almost a month for Google to fix them.

As notable as the number of flaws, though, is their scope. As I’ve mentioned, Chrome is by far the most-used browser in the world, with some 63.38% of the market. Even small flaws have the potential to affect hundreds of millions of users, which means there will always be unpatched instances of the browser being run somewhere, and these will remain open for exploitation.

This has led some to ask an important question:

Is Chrome Safe?

Unfortunately, this is not an easy question to answer.

That’s because it’s difficult to identify a benchmark to measure Chrome against. Far more people are on the internet than ever before. Most of these people use Chrome. This leads to a conclusion often overlooked by security analysts – Chrome may be the single most-used piece of software in world history.

This fact has some strange and complicated effects. One is that there are more people looking for flaws in Chrome – both malicious hackers and researchers – than almost any other piece of software. In principle, this should mean that the browser is actually one of the safest pieces of software out there, simply because it is the most tested. One school of thought would say, in other words, that the number of zero-day flaws seen in Chrome is evidence that it is being thoroughly tested.

Viewed another way, our society-wide dependence on Chrome is concerning. So many people conduct so much of their business through the browser that a vulnerability has the potential to be more serious than a compromised social media account.

Consider, for instance, the fact that half of all buyers find their homes through the internet, or that, globally, we spend an average of 2-3 hours on social media a day. As a result, the amount of data collected via Chrome becomes worryingly vast. And then, if you want a further scare, consider that Google recently added extra support for remote work because, well, everyone in the world who could was working via Chrome.

The Bottom Line

In this context, the answer to the question “Is Chrome safe?” takes on a new dimension. Whether the software has a good security record, or the fact that it can help you with a variety of other online tasks, is almost arbitrary. The problem is that so much of our work, our social lives, and our whole society relies on one piece of software that any flaw is potentially enormously dangerous.


Bernie Brode talks aboutNetgear Router Vulnerabilities

About the Author: Bernard Brode (@BernieBrode) is a product researcher at Microscopic Machines and remains eternally curious about where the intersection of AI, cybersecurity, and nanotechnology will eventually take us.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.