Kaspersky: FinFisher spyware upgrade particularly worrying theregister.com - get the latest breaking news, showbiz & celebrity photos, sport news & rumours, viral videos and top stories from theregister.com Daily Mail and Mail on Sunday newspapers.
The two flaws are CVE-2021-21220, which is based on insufficient validation of untrusted input in the V8 JavaScript rendering engine, and CVE-2021-21206, which is a use-after-free bug in the Blink browser engine. Hackers are exploiting these two flaws to execute code in a victim’s web browser, but depending on the privileges tied with the browser, an attacker could also view, change, or delete data.
The former vulnerability was demonstrated by Dataflow Security researchers Bruno Keith and Niklas Baumstark at the Pwn2Own 2021 hacking contest, while an anonymous researcher has been credited with reporting the latter flaw to Google.