Google Chrome Fixes 14 Vulnerabilities Following Zero-Day Flaw Attack

Google has released a new version of Chrome, the 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, including one zero-day vulnerability.

The new build has started rolling out across the globe and will be available to respective users over the next few days.

To ensure that you get this latest version of Chrome, click the three vertical dots at the top right of the browser window, scroll down to Help, and then click on “About Google Chrome” in the fly-out menu.

This action will open a new tab where the new update will be automatically downloaded. After it is done, relaunch the browser.

ALSO READ: Black Kingdom’ Ransomware Taking Advantage Of ProxyLogon Vulnerabilities

The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.

According to Google, they are “aware that an exploit for CVE-2021-30551 exists in the wild.”

“This zero-day vulnerability was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day that was recently fixed by Microsoft,” said Shane Huntley, Director of Google’s Threat Analysis Group.

The vulnerability, catalogued as CVE-2021-30551, is related to a Windows flaw, also a zero-day, that Google researchers discovered last week and Microsoft patched on June 8. Chrome in-the-wild vulnerability CVE-2021-30551 patched by the tech giant today was also from the same actor and targeting. The Chrome team, luckily, patched it within 7 days.

According to Chrome Releases blog post, the Chrome zero-day is categorized as due to “type confusion in V8.” V8 is the open-source JavaScript rendering engine used by Chrome and other browsers based on the Chromium project, including Brave, Microsoft Edge, Opera and Vivaldi.

It’s not clear how technically similar the Chrome and Microsoft zero-days are. The Microsoft one affects HTML parsing used in Internet Explorer and other legacy software, but that software is used by the Chromium-based Edge only when in “Internet Explorer mode.”

ALSO READ: Companies Hopeful for Expansion as Global Economies Reopen

Bleeping Computer noted that this is the sixth Chrome zero-day flaw patched so far in 2021. Two patched by Google in April were used in conjunction with two Microsoft flaws discovered by Kaspersky and patched by Microsoft on June 8.

All these zero-day flaws seem to have been used in sophisticated nation-state attacks against specific targets, presumably for espionage purposes. But as details leak out about the flaws, criminals may start using them for more indiscriminate attacks against a wider range of targets.

The security risk of today’s Chrome zero-day is rated “High.” However, there’s another fix for a flaw marked “Critical” that involves “use after free in BFCache,” which means that a vulnerability exists in the way Chrome holds recently viewed web pages in a computer’s running memory.

Courtesy: www.tomsguide.com