Have you patched your Chrome browser? Google just fixed a serious vulnerability in its browser, stemming from a type confusion issue in its V8 open-source engine. Tracked as CVE-2021-30551, the vulnerability was discovered by Sergei Glazunov from Google Project Zero.
Google Fixes CVE-2021-30551 and Several Other Serious Bugs in Chrome
In addition to this vulnerability, fixed in Windows, macOS, and Linux, the company addressed several other flaws: CVE-2021-30544, CVE-2021-30545, CVE-2021-30546, CVE-2021-30547, CVE-2021-30548, CVE-2021-30549, CVE-2021-30550. CVE-2021-30551, in particular, has been used in active exploits in the wild, so patching your Chrome browser should be a top priority.
Shane Huntley, Director of Google’s Threat Analysis Group said that the CVE-2021-30551 vulnerability was exploited by the same threat actor that leveraged CVE-2021-33742. The latter is an actively exploited remote code execution bug in the Windows MSHTML platform, recently addressed by Microsoft in its Patch Tuesday update on June 8. CVE-2021-33742 is a Windows MSHTML Platform Remote Code Execution Vulnerability, which is a critical issue with a CVSS 7.5 rating.
According to security researchers, it seems that the two zero-day vulnerabilities have been provided by a commercial exploit broker to a nation-state actor. The latter utilized the zero-days in limited attacks against targets in Eastern Europe and the Middle East. We are expecting more technical information about the nature of the attacks to be released in the upcoming weeks, thus allowing time for users to update and prevent their systems.
In April, Google fixed another zero-day in its popular browser. Tracked as CVE-2021-21224, the vulnerability had exploits for it in the wild. According to security researcher Lei Cao, the vulnerability is triggered by performing integer data type conversion. This creates an out-of-bounds condition that could cause arbitrary memory read/write primitive.
You should check whether you are running the latest version of Google Chrome. “The Stable channel has been updated to 91.0.4472.101 for Windows, Mac and Linux which will roll out over the coming days/weeks,” Google said in its blog post.