Threat Level: HIGH

Components Affected

Google Chrome browser on Windows, Mac, or Linux computers.

Description

Google has updated Chrome to fix 14 security flaws, including a one "zero-day" flaw which is tracked as CVE-2021-30551. This vulnerability has been actively exploited by attackers. More technical particulars about the nature of the attacks are to be released in the coming weeks to allow a majority of the users to install the update and prevent other threat actors from creating exploits targeting the flaw.  

Impact

• Exposing sensitive information to unauthorized parties
• Malicious activities  

Solution/ Workarounds

Update the Google Chrome Browser to the latest version (91.0.4472.101) by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.

If you are using the Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version Google released earlier today.

Google on Wednesday rolled out an urgent update for Chrome browser to address 14 newly discovered security issues, including a zero-day flaw that it says is being actively exploited in the wild.

Tracked as CVE-2021-30551, the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine. Sergei Glazunov of Google Project Zero has been credited with discovering and reporting the flaw.

Although the search giant's Chrome team issued a terse statement acknowledging "an exploit for CVE-2021-30551 exists in the wild," Shane Huntley, Director of Google's Threat Analysis Group, hinted that the vulnerability was leveraged by the same actor that abused CVE-2021-33742, an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its Patch Tuesday update on June 8.

The two zero-days are said to have been provided by a commercial exploit broker to a nation-state actor, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley said.

More technical details about the nature of the attacks are to be released in the coming weeks to allow a majority of the users to install the update and prevent other threat actors from creating exploits targeting the flaw.

With the latest fix, Google has addressed a total of seven zero-days in Chrome since the start of the year —

•      CVE-2021-21148- Heap buffer overflow in V8
•      CVE-2021-21166- Object recycle issue in audio
•      CVE-2021-21193- Use-after-free in Blink
•      CVE-2021-21206- Use-after-free in Blink
•      CVE-2021-21220- Insufficient validation of untrusted input in V8 for x86_64
•      CVE-2021-21224- Type confusion in V8

Chrome users can update to the latest version (91.0.4472.101) by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.

Reference

• https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.htmlhttps://www.google.com/chrome/
• https://thehackernews.com/2021/06/new-chrome-0-day-bug-under-active.html  
• https://www.cert.gov.lk

Disclaimer

The information provided herein is on an "as is" basis, without warranty of any kind.