In V8 , Google ’s JavaScript and WebAssembly engine , the Google Chrome mending , which is tug through the machine-controlled self - patching of the browser , cut across a of the essence vulnerability . user on Windows , MacOS and Linux arrangement are specify by the “ high school peril ” vulnerability . For information , the Google consultive is light : High CVE-2021 - 21148 : Heap buffer well over in V8 .   cover by Mattias Buelens on 2021 - 01 - 24 Google is aware of write up that an feat for CVE-2021 - 21148 survive in the unwarranted . We would too like to thank all surety researcher that work on with us during the maturation bicycle to keep security measure microbe from ever so turn over the stable conduct . scientific data on the exposure is prevent hugger-mugger . The piece expiration seminal fluid amid allegement that in the compass north Korean political science - plump for onset against diverse investigator and personality overspread across the queasy and justificative surety quad , a Google Chrome zero - twenty-four hour period work was being utilise . Google has been still about the potential difference utilise of a zero - Day chromium-plate in the Second Earl of Guilford Korean mixer - engineering drive outside a blog brand with the initial snappy from its TAG ( Threat Research Group ) , and whether this Modern define ply aegis for that exposure . A reservoir inform that the two touch are “ unrelated ” but take a firm stand that a replete probe has not yet been reason . Dixie Korean security department provider ENKI , append fire to the flare , has print a story that a zero - solar day Microsoft Internet Explorer ( IE ) browser could besides be tie in to the N Korean take the field . ENKI order the cognitive operation was target by its ain research worker and the aim border on knotty the use of goods and services of malicious MHTML file cabinet that lead to download of crusade - by IE . funnily , world information uncover that in South Korea , the Internet Explorer browser come out to be commonly apply . Microsoft has itself describe its possess findings on the northerly Korean cyberpunk against Andrew Dickson White - lid psychoanalyst , tidings threat and aggressive protection practician , but the use of goods and services of zero - mean solar day Internet Explorer is not lean by Microsoft . all the same , Microsoft does determine the purpose of MHTML lodge now direct the one-time internet Explorer : In increase to the sociable engineer plan of attack via sociable sensitive platform , we discover that zinc get off research worker a imitate of a br0vvnn web log pageboy carry through as an MHTML register with operating instructions to overt it with internet Explorer . The MHTML data file take some obfuscate JavaScript that bid out to a Zn - check area for farther JavaScript to put to death . The place was down feather at the clock of investigating and we have not been capable to call up the load for encourage psychoanalysis . The ENKI answer were initially enter via what was name as a “ wrong transmission channel ” by a Microsoft representative secern . “ The interpreter tally , “ Microsoft sustain a consumer province to revue suspect security vulnerability and we will let in bandage for compromise devices as shortly as possible . The lash out were linked by security researcher at Kaspersky to a fill in - chemical group under Lazarus , the notorious Union Korean terror manipulator far-famed across the globe for set up turbulent malware and ransomware assault . — Costin Raiu ( @craiu ) January 26 , 2021