CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.6%
Google is warning that a bug in its Chrome web browser is actively under attack, and it is urging users to upgrade to the latest 91.0.4472.101 version to mitigate the issue.
In all, Google rolled out fixes for 14 bugs impacting its Windows, Mac and Linux browsers as part of its June update to the Chrome desktop browser.
âGoogle is aware that an exploit for CVE-2021-30551 exists in the wild,â wrote Chrome technical program manager Prudhvikumar Bommana in a Wednesday post. That exploit is identified as a type confusion bug within Googleâs V8 open-source JavaScript and WebAssembly engine.
The confusion vulnerability is tied to the browserâs ActionScript Virtual Machine. âUsually, when a piece of code doesnât verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion,â according to a technical description of the bug.
The update coincides with the release of the Android Chrome browser to Chrome 91 (91.0.4472.101), also on Wednesday. While the desktop and mobile versions of the Chrome web browser share the same version number, it is unclear if the updated Android Chrome browser is impacted by the same vulnerabilities.
Also unclear is if Microsoftâs Edge browser, based on the Chromium open-source browser codebase (principally developed and maintained by Google), is also impacted.
In related news, on Tuesday, Microsoft released a patch for vulnerabilities under active attack, including CVE-2021-33742, impacting its Edge browser. That bug is a remote-code execution (RCE) vulnerability within the Edge browserâs MSHTML component.
âThe MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control,â Microsoft explained.
As part of the June Chrome update, Google patched a critical use-after-free bug (CVE-2021-30544) within the browserâs optimization engine called BFCache. This browser component enables back-and-forward navigation between cached webpages within Chrome.
As customary with recently disclosed bugs, Google did not release the details tied to any of the vulnerabilities patched Wednesday. âAccess to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but havenât yet fixed,â the Google advisory stated.
Google credits Rong Jian and Guang Gong of 360 Alpha Lab for finding the BFCache bug in May. For their bug hunting efforts, the pair earned $25,000.
Download our exclusive FREE Threatpost Insider eBook,â2021: The Evolution of Ransomware***,â***to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover whatâs next for ransomware and the related emerging risks. Get the whole story andDOWNLOADthe eBook now â on us!
chromereleases.googleblog.com/2021/06/chrome-for-android-update_01297860997.html
chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html
chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html
portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-33742
threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART
threatpost.com/ebooks/2021-the-evolution-of-ransomware/?utm_source=April_eBook&utm_medium=ART&utm_campaign=ART
threatpost.com/microsoft-patch-tuesday-in-the-wild-exploits/166724/
threatpost.com/newsletter-sign/
www.microsoft.com/security/blog/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/#:~:text=The%20vulnerability%20is%20a%20%E2%80%9Ctype,it%20leads%20to%20type%20confusion.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.6%