Is your Chrome browser up-to-date? Google just released fixes for 11 security vulnerabilities, two of which are actively exploited in the wild. All 11 vulnerabilities are highly dangerous.
To prevent your browser from being exploited by hackers, you should apply the update immediately.
The two actively exploited flaws are zero-days identified as CVE-2021-30632 and CVE-2021-30633.
CVE-2021-30632 and CVE-2021-30633 Zero-Days in Chrome
Not surprisingly, the vulnerabilities reside in V8 JavaScript engine. CVE-2021-30632 is an out of bounds write in the engine, whereas CVE-2021-30633 is a use after free in Indexed DB API. Both flaws were reported by an anonymous party.
Here’s the list of all 11 security issues fixed in 93.0.4577.82 for Windows, Mac and Linux which will roll out over the coming days:
[$7500][1237533] High CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06
[$7500][1241036] High CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
[$5000][1245786] High CVE-2021-30627: Type Confusion in Blink layout. Reported by Aki Helin of OUSPG on 2021-09-01
[$TBD][1241123] High CVE-2021-30628: Stack buffer overflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
[$TBD][1243646] High CVE-2021-30629: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2021-08-26
[$TBD][1244568] High CVE-2021-30630: Inappropriate implementation in Blink . Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30
[$TBD][1246932] High CVE-2021-30631: Type Confusion in Blink layout. Reported by Atte Kettunen of OUSPG on 2021-09-06
[$TBD][1247763] High CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08
[$TBD][1247766] High CVE-2021-30633: Use after free in Indexed DB API. Reported by Anonymous on 2021-09-08
Earlier this year, Indian security researcher Rajvardhan Agarwal published a proof-of-concept code for another V8 JavaScript engine vulnerability affecting Google Chrome, Microsoft Edge, Brave, and Opera (all Chromium-based).
The vulnerability is most likely the same flaw, which was demonstrated during Pwn2Own 2021 by Dataflow Security’s researchers Bruno Keith and Niklas Baumstark. The two researchers won $100,000 from the hacking contest for successfully exploiting the vulnerability to run malicious code within Chrome and Edge browsers.