Overview
Google has announced a new update to patch for 11 new vulnerabilities that exist in Chrome browser. Chrome for Windows, Mac and Linux should be updated immediately, as two of these vulnerabilities are zero-days (CVE-2021-30632, CVE-2021-30633) actively exploited in the wild.
Description
Google has released a new version (93.0.4577.82) for Chrome for Windows, Mac and Linux to patch for a total of 11 security vulnerabilities. So far, Google has disclosed limited information, such as CVE identifiers and vulnerability types, for only 9 of the vulnerabilities that have been reported by external security researchers. All of the publicly shared 9 vulnerabilities have “High” severity rating. For the remaining 2 vulnerabilities that have been discovered in-house, no information has been shared yet.
Google also announced that two of these vulnerabilities (CVE-2021-30632, CVE-2021-30633) are zero-days and actively exploited in the wild.
Further details on the disclosed vulnerabilities are as follows:
- CVE-2021-30625: Use After Free in Selection API. Severity: High
- CVE-2021-30626: Out of Bounds Memory Access in ANGLE. Severity: High
- CVE-2021-30627: Type Confusion in Blink Layout. Severity: High
- CVE-2021-30628: Stack Buffer Overflow in ANGLE. Severity: High
- CVE-2021-30629: Use After Free in Permissions. Severity: High
- CVE-2021-30630: Inappropriate Implementation in Blink. Severity: High
- CVE-2021-30631: Type Confusion in Blink. Severity: High
- CVE-2021-30632: Out of Bounds Write in V8. Severity: High (Zero-Day)
- CVE-2021-30633: Use After Free in Indexed DB API. Severity: High (Zero-Day)
Google additionally shared the names of the tools for detecting these vulnerabilities. Following are a list of the tools used by Google for bug discovery:
Impact
A remote attacker, who successfully exploits the CVE-2021-30632 by performing out of bounds memory write in V8 could execute arbitrary code and gain full control of the system.
Impact Summary CVE-2021-30632
Category: Out of Bounds Memory Write
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A
An attacker who successfully exploits the CVE-2021-30633 by causing memory corruption (Use After Free) in Indexed DB API via a crafted HTML page could remotely execute arbitrary code and gain full control of the system.
Impact Summary CVE-2021-30633
Category: Use After Free
CVSS 3.1 Base Score: N/A
CVSS 3.1 Vector: N/A
Solution (Update)
To defend against possible attacks due to these vulnerabilities, Google Chrome needs to be updated to the stable version 93.0.4577.82.
Normally, Chrome updates in the background when it is closed and reopened. However, if it has not been closed for a while, there might be pending updates. To check for pending updates, you can click More (Three vertical dots) on the top right of the Chrome browser.
It is a fairly open secret that almost all system can be hacked, somehow. It is a less spoken of secret that such hacking has actually gone quite mainstream.
Dan Kaminsky
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- Google Chrome Releases Blog (Stable Channel Update for Desktop)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
