The Hacker NewsTHN:50D7C51FE6D69FC5DB5B37402AD0E412Update Google Chrome ASAP to Patch 2 New Actively Exploited Zero-Day Flaws
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Google on Thursday pushed urgent security fixes for its Chrome browser, including a pair of new security weaknesses that the company said are being exploited in the wild, making them the fourth and fifth actively zero-days plugged this month alone.
The issues, designated as CVE-2021-37975 and CVE-2021-37976, are part of a total of four patches, and concern a use-after-free flaw in V8 JavaScript and WebAssembly engine as well as an information leak in core.
As is usually the case, the tech giant has refrained from sharing any additional details regarding how these zero-day vulnerabilities were used in attacks so as to allow a majority of users to be updated with the patches, but noted that it’s aware that “exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.”
An anonymous researcher has been credited with reporting CVE-2021-37975. The discovery of CVE-2021-37976, on the other hand, involves Clément Lecigne from Google Threat Analysis Group, who was also credited with CVE-2021-37973, another actively exploited use-after-free vulnerability in Chrome’s Portals API that was reported last week, raising the possibility that the two flaws may have been stringed together as part of an exploit chain to execute arbitrary code.
With the latest update, Google has addressed a record 14 zero-days in the web browser since the start of the year.
- CVE-2021-21148 - Heap buffer overflow in V8
- CVE-2021-21166 - Object recycle issue in audio
- CVE-2021-21193 - Use-after-free in Blink
- CVE-2021-21206 - Use-after-free in Blink
- CVE-2021-21220 - Insufficient validation of untrusted input in V8 for x86_64
- CVE-2021-21224 - Type confusion in V8
- CVE-2021-30551 - Type confusion in V8
- CVE-2021-30554 - Use-after-free in WebGL
- CVE-2021-30563 - Type confusion in V8
- CVE-2021-30632 - Out of bounds write in V8
- CVE-2021-30633 - Use-after-free in Indexed DB API
- CVE-2021-37973 - Use-after-free in Portals
Chrome users are advised to update to the latest version (94.0.4606.71) for Windows, Mac, and Linux by heading to Settings > Help > ‘About Google Chrome’ to mitigate any potential risk of active exploitation.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related
9.6 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P