Multiple Security Vulnerabilities Patched in Google Chrome – Including a Zero-Day (CVE-2021-21166)

Overview

Google Chrome before 89.0.4389.72 for Windows, Mac and Linux contains multiple vulnerabilities, including 3 Heap Buffer Overflow and 1 Use After Free vulnerabilities that are rated as high in severity.

Description

Google Chrome has released a new version (89.0.4389.72) for Windows, Mac and Linux to patch for a total of 47 security vulnerabilities. 8 of the patched vulnerabilities are rated as high in CVSS severity rating as they are caused by Heap Buffer Overflow, Use After Free, Insufficient Data Validation and Object Lifecycle type bugs.

Google has not disclosed the details of the bugs yet to protect Chrome users from attackers that could exploit the vulnerabilities. However, as admitted by Google officially, at least one of the vulnerabilities (CVE-2021-21166) that has been reported by Microsoft is a zero-day that is known to be exploited in the wild.

The vulnerabilities that are rated as high are as follows:

Impact

An attacker who successfully exploits the CVE-2021-21159 by causing heap corruption in TabStrip via a crafted HTML page could remotely execute arbitrary code and gain full control of the system.

An attacker who successfully exploits the CVE-2021-21160 by causing heap corruption in WebAudio via a crafted HTML page could remotely execute arbitrary code and gain full control of the system.

An attacker who successfully exploits the CVE-2021-21161 by causing heap corruption in TabStrip via a crafted HTML page could remotely execute arbitrary code and gain full control of the system.

An attacker who successfully exploits the CVE-2021-2162 by causing heap corruption (Use After Free) in WebRCT via a crafted HTML page could remotely execute arbitrary code and gain full control of the system.

An attacker who successfully exploits the CVE-2021-2163 by taking advantage of insufficient data validation could leak cross-origin data via a crafted HTML page and a malicious server.

An attacker who successfully exploits the CVE-2021-2164 by taking advantage of insufficient data validation could leak cross-origin data via a crafted HTML page and a malicious server.

An attacker who successfully exploits the CVE-2021-21165 by causing heap corruption via a crafted HTML page due to a race condition in audio could remotely execute arbitrary code and gain full control of the system.

An attacker who successfully exploits the CVE-2021-21166 by causing heap corruption via a crafted HTML page due to a race condition in audio could remotely execute arbitrary code and gain full control of the system.

Solution (Update)

To defend against possible attacks due to these vulnerabilities, Google Chrome needs to be updated to the stable version 89.0.4389.72.

Normally, Chrome updates in the background when it is closed and reopened. However, if it has not been closed for a while, there might be pending updates. To check for pending updates, you can click More (Three vertical dots) on the top right of the Chrome browser.

No technology that’s connected to the Internet is unhackable.

Abhijit Naskar

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

• Google Chrome Releases Blog (Stable Channel Update for Desktop)

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?