Overview
Google has announced a new update on Thursday (October 28, 2021) to patch 8 new vulnerabilities that exist in its Chrome browser. Chrome for Windows, Mac and Linux should be updated immediately, as two of these vulnerabilities are zero-days (CVE-2021-38000, CVE-2021-38003) that are actively exploited in the wild.
Description
Google has released a new version (95.0.4638.69) for Chrome for Windows, Mac and Linux to patch for a total of 8 security vulnerabilities. So far, Google has disclosed limited information, such as CVE identifiers and vulnerability types, for only 7 of these vulnerabilities that have been contributed by external security researchers. All of these publicly disclosed vulnerabilities have have been rated as “Medium” in severity. For the remaining 1 vulnerability that has been discovered in-house, no information has been shared yet.
Google also announced that two of these vulnerabilities (CVE-2021-38000, CVE-2021-38003) are zero-days and actively exploited in the wild. Note that, though CVE identifiers have been assigned for these vulnerabilities, detailed vulnerability information at the NVD (National Vulnerability Database) become usually available with a time lag of weeks or months.
Further details on the disclosed vulnerabilities are as follows:
- CVE-2021-37997: Use After Free in Sign-In. Severity: High
- CVE-2021-37998 : Use After Free in Garbage Collection. Severity: High
- CVE-2021-37999 : Insufficient Data Validation in New Tab Page. Severity: High
- CVE-2021-38000 : Insufficient Validation of Untrusted Input in Intents. Severity: High (Zero-Day)
- CVE-2021-38001 : Type Confusion in V8. Severity: High
- CVE-2021-38002 : Use After Free in Web Transport. Severity: High
- CVE-2021-38003 : Inappropriate implementation in V8. Severity: High (Zero-Day)
Google additionally shared the names of the tools for detecting these vulnerabilities. Following are a list of the tools used by Google for bug discovery:
Note that, these vulnerabilities originate from the Chromium Open Source Software Project which is consumed by Google Chrome as its core engine. As quite a number of other web browsers (such as Microsoft Edge, Opera, Brave, Vivaldi, Epic Browser, Iron Browser, Blisk, etc.) also depend on the Chromium as their core engines, these browsers also need to be updated to their most recent versions according to the specific vendor security advisories.
Impact
A remote attacker who successfully exploits the untrusted input validation vulnerability (CVE-2021-38000) in Intents in Google Chrome could browse to a malicious URL via a crafted HTML page.
Impact Summary CVE-2021-38000
Category: Insufficient Validation of Input
CVSS 3.1 Base Score: 6.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
A remote attacker who successfully exploits the heap corruption vulnerability (CVE-2021-38003) in V8 in Google Chrome could potentially take control of the affected system with the privileges of the logged-in user.
Impact Summary CVE-2021-38003
Category: Heap Buffer Overflow
CVSS 3.1 Base Score: 8.8
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Solution (Update)
To defend against possible attacks due to these vulnerabilities, Google Chrome needs to be updated to the stable version 95.0.4638.69.
Normally, Chrome updates in the background when it is closed and reopened. However, if it has not been closed for a while, there might be pending updates. To check for pending updates, you can click More (Three vertical dots) on the top right of the Chrome browser.
There are only two different types of companies in the world: those that have been breached and know it and those that have been breached and don’t know it.
Ted Schlein
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- Google Chrome Releases Blog (Stable Channel Update for Desktop)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
