This is the sixth Chrome zero-day flaw patched so far in 2021. Two patched by Google in April were used in conjunction with two Microsoft flaws discovered by Kaspersky and patched by Microsoft on June 8.
Google has released a new version of Chrome, the 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, including one zero-day vulnerability.
The new build has started rolling out across the globe and will be available to respective users over the next few days.
To ensure that you get this latest version of Chrome, click the three vertical dots at the top right of the browser window, scroll down to Help, and then click on “About Google Chrome” in the fly-out menu.
This action will open a new tab where the new update will be automatically downloaded. After it is done, relaunch the browser.
The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.
According to Google, they are “aware that an exploit for CVE-2021-30551 exists in the wild.”
“This zero-day vulnerability was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day that was recently fixed by Microsoft,” said Shane Huntley, Director of Google’s Threat Analysis Group.
The vulnerability, catalogued as CVE-2021-30551, is related to a Windows flaw, also a zero-day, that Google researchers discovered last week and Microsoft patched on June 8. Chrome in-the-wild vulnerability CVE-2021-30551 patched by the tech giant today was also from the same actor and targeting. The Chrome team, luckily, patched it within 7 days.
It’s not clear how technically similar the Chrome and Microsoft zero-days are. The Microsoft one affects HTML parsing used in Internet Explorer and other legacy software, but that software is used by the Chromium-based Edge only when in “Internet Explorer mode.”
Bleeping Computer noted that this is the sixth Chrome zero-day flaw patched so far in 2021. Two patched by Google in April were used in conjunction with two Microsoft flaws discovered by Kaspersky and patched by Microsoft on June 8.
All these zero-day flaws seem to have been used in sophisticated nation-state attacks against specific targets, presumably for espionage purposes. But as details leak out about the flaws, criminals may start using them for more indiscriminate attacks against a wider range of targets.
The security risk of today’s Chrome zero-day is rated “High.” However, there’s another fix for a flaw marked “Critical” that involves “use after free in BFCache,” which means that a vulnerability exists in the way Chrome holds recently viewed web pages in a computer’s running memory.