I-Google idale uhlaziyo lwe-Chrome 89.0.4389.128, elungisa ubuthathaka obubini (CVE-2021-21206, CVE-2021-21220), apho ukuxhaphazwa okusebenzayo kufumaneka (0-day). Ubungozi be-CVE-2021-21220 busetyenziselwe ukuqhekeza iChrome kukhuphiswano lwePwn2Own 2021.
Ububuthathaka busetyenziswa ngokusebenzisa ikhowudi yeWebAssembly eyenziwe ngokukodwa (ububuthathaka bubangelwa yimpazamo kumatshini weWebAssembly ovumela idatha ukuba ibhalwe okanye ifundwe kwidilesi yememori engacwangciswanga). Kuyaphawuleka ukuba ukuxhaphaza okubonisiweyo akudluli kwi-sandbox yokwahlulwa, kwaye uhlaselo olupheleleyo lufuna ukufunyanwa kobunye ububuthathaka bokubaleka kwi-sandbox (ububuthathaka obunjalo bubonakaliswe kukhuphiswano lwePwn2Own 2021). Windows).
Umzekelo wokuxhaphaza le ngxaki wapapashwa kwi-GitHub emva kokuba ulungiso lwenziwe kwi-injini ye-V8, kodwa ngaphandle kokulinda uhlaziyo lwesikhangeli olusekwe kuyo ukuba lwenziwe (nokuba ukuxhaphazwa bekungapapashwanga, abahlaseli bakwazile ukwenza kwakhona. isekelwe kuhlalutyo lweenguqu kwi-repository ye-V8, esele yenzeke ngaphambili ngenxa yemeko apho ukulungiswa kwe-V8 sele kushicilelwe, kodwa iimveliso ezisekelwe kuyo azikahlaziywa).
Ukongeza, kubalulekile ukuqaphela utshintsho kwishedyuli yokukhutshwa kweChrome 90 ye Linux, Windows и macOSLe mpapasho ibicwangciselwe umhla we-13 ku-Epreli, kodwa ayizange ipapashwe izolo, kodwa inguqulelo yayo kuphela AndroidKukhutshwe enye i-beta yokukhululwa kweChrome 90 namhlanje. Umhla omtsha wokukhutshwa awukabhengezwa.
umthombo: opennet.ru
