Linux Bugs

Google fixes seventh zero-day Chrome exploited in the wild this year

Google released Chrome 91.0.4472.114 for Windows, Mac, and Linux to address four security vulnerabilities, one of which is a high-severity zero-day vulnerability that was exploited in the wild.

This version, released today, June 17, 2021, on the Stable desktop channel, has started rolling out worldwide and will be available to all users over the next few days.

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can update manually by going to Settings> Help> “About Google Chrome”.

No details about zero-day attacks in the wild

“Google is aware that an exploit for CVE-2021-30554 exists in the wild,” the company announcement said.

Zero-day is caused by usage after free weakness in the Web Graphics Library (WebGL) JavaScript API used by Chrome web browsers to render interactive 2D and 3D graphics without the use of plugins.

Successful exploitation of this vulnerability could lead to the execution of arbitrary code on computers running unpatched versions of Chrome.

Although Google claims to be aware of the savage exploitation of CVE-2021-30554, it has not shared any information regarding these attacks.

“Access to bug details and links may be restricted until a majority of users are updated with a fix,” the company said.

“We will also keep restrictions if the bug exists in a third-party library that other projects depend on the same way, but has not yet been fixed.”

Google fixed three other high severity uses after free bugs today in the Share, WebAudio, and TabGroups components of Chrome, tracked as CVE-2021-30555, CVE-2021-30556, and CVE-2021-30557.

Seventh day zero Chromium mined in the wild this year

Today’s update fixes the seventh zero-day Google Chrome vulnerability exploited in attacks this year, with the remaining six listed below:

In addition to these zero-days, Kaspersky reported that a threatening group of actors known as Puzzlemaker chain zero-day Chrome bugs to escape the browser sandbox and install malware on Windows systems. .

“After attackers use both Chrome and Windows exploits to gain a foothold in the targeted system, the staging module downloads and executes a more complex malware dropper from a remote server,” Kaspersky said.

Project Zero, Google’s zero-day bug hunting team, also unveiled a large-scale operation where a group of hackers used 11 zero-days to attack Windows, iOS, and Android users in a single year.


Source link

Leave a Reply

Your email address will not be published. Required fields are marked *