Hidden deep in Google’s release notes for the new version of Chrome that shipped on March 1 is a fix for an “object lifecycle issue.” Or, for the less technically inclined, a major bug.

Bugs like these have been common in Chrome, leading some to wonder whether the world’s most popular web browser is as safe as it could be? Google created Chrome as a secure browser and has loaded it with a growing set of security features along the way. Unfortunately, there has also been a history of security problems. This has been highlighted this year, because in just the last three months there have been three zero-day flaws discovered in Chrome. A rate of one flaw a month is … not great.

That said, Chrome is in the unique position of being (by far) the most used web browser. Therefore, far more people are looking for bugs in it than almost any other piece of software. Given that, perhaps it’s not surprising that flaws often turn up. In this article we’ll look at the latest 2021 zero-day flaw and what it tells us about the security of Chrome as a whole.

Another Zero-Day Flaw

Let’s examine this recent flaw. It was being tracked as CVE-2021-21166 and was one of a group of flaws reported to Google by Alison Huffman of Microsoft Browser Vulnerability Research on February 11. Though both Microsoft and Google were careful not to release too many details of the vulnerability – lest it be exploited by criminals – it was one example of a related set of flaws that stem from the way that Chrome handles audio.

Eagle-eyed readers will notice, of course, that this means that the flaw was reported almost a month before Google released a patch for it. This kind of (Read more...)