Serious ‘Zero Day’ vulnerability comes to light in Google Chrome

Mumbai A serious new Zero Day vulnerability has come to light in Google Chrome, the most widely used browser in India, and it is already confirmed to have been exploited by hackers to gain access to devices of Chrome users.

Additionally, 22 more vulnerabilities have also been reported, and the Indian Computer Emergency Response Team (CERT-In) has classified all 23 bugs as ‘high’ in severity.

Among the most serious of all software vulnerabilities, a Zero Day is only discovered when it is exploited by hackers. It is so named because there are zero days between its exploitation and discovery. This is the sixth Zero Day vulnerability to come to light in Google Chrome this year alone. According to 2021 statistics, Chrome occupied 85.97 per cent share in terms of browsers used by Indians.

On Monday, CERT-In issued two official advisories, of which the first one warned Chrome users of the Zero Day vulnerability in the browser. “A remote attacker could exploit this vulnerability by executing a specially crafted request on the targeted system. Successful exploitation of this vulnerability could allow the attacker to bypass security restrictions on the targeted system,” CERT-In has stated in the advisory.

A ‘specially crafted request’ refers to a document or image file with malicious code embedded in it. Such files are sent in massive numbers via phishing emails or messages and any Chrome user who opens the file ends up unwittingly installing the malicious code in their device, thereby opening it up for external attack.

The CERT-In advisory goes on to say, “The vulnerability is being exploited in the wild. Users are advised to patch vulnerable devices immediately.”

“’In the wild’ is the technical term used to signify that a technology – in this case the exploit for the vulnerability – has passed through the development phase and is now being publicly used. In simpler words, hackers have the exploit readily available at their disposal and are making full use of it.

Last week, Google officially acknowledged the vulnerability and released an urgent patch for it. Google has also categorised the vulnerability as ‘high’ in severity. “Google is aware of reports that an exploit for the vulnerability exists in the wild,” the tech giant’s official note on their website stated.

Meanwhile, CERT-In’s second advisory warns Chrome users of 22 more vulnerabilities, all of them ‘high’ in severity. However, there are no reports of any of these having been exploited so far.

“Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition on the targeted system,” CERT-In has warned.

Execution of arbitrary code refers to hackers running any programmes that they want on the compromised device, as opposed to the users of the device having control over them. A denial-of-service condition means that hackers can crash a particular service, denying it to its users and causing losses to its manufacturers when users start turning to alternative products.