Zero-Day Vulnerability Actively Exploited in Google Chrome (CVE-2021-30554)

Zero-Day Vulnerability Actively Exploited in Google Chrome (CVE-2021-30554)

Just days after having issued patches for 14 Google Chrome vulnerabilities, Google has announced a new update to patch for 4 new vulnerabilities that exist in Chrome browser. Chrome for Windows, Mac and Linux should be updated immediately, as one of the vulnerabilities is a zero-day (CVE-2021-30554) and known to be exploited in the wild.

Overview

Just days after having issued patches for 14 Google Chrome vulnerabilities, Google has announced a new update to patch for 4 new vulnerabilities that exist in Chrome browser. Chrome for Windows, Mac and Linux should be updated immediately, as one of the vulnerabilities is a zero-day (CVE-2021-30554) and known to be exploited in the wild.

Description

Google has released a new version (91.0.4472.114) for Chrome for Windows, Mac and Linux to patch for a total of 4 security vulnerabilities. So far, Google has disclosed limited information, such as CVE identifiers and vulnerability types, on the recently discovered vulnerabilities.

Google also announced that one of these vulnerabilities (CVE-2021-30554) is a zero-day and actively exploited in the wild with a known exploit for it.

Further details on the disclosed vulnerabilities are as follows:

Google additionally shared the names of the tools for detecting these vulnerabilities. Following are a list of the tools used by Google for bug discovery:

Impact

A remote attacker, who successfully exploits the CVE-2021-30554 by causing heap corruption in WebGL via a crafted HTML page, could execute arbitrary code and gain full control of the system.

Impact Summary CVE-2021-30554

Category: Use After Free
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

A remote attacker, who successfully exploits the CVE-2021-30555 by causing heap corruption in Sharing via a crafted HTML page, could execute arbitrary code and gain full control of the system.

Impact Summary CVE-2021-30555

Category: Use After Free
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

A remote attacker, who successfully exploits the CVE-2021-30556 by causing heap corruption in WebAudio via a crafted HTML page, could execute arbitrary code and gain full control of the system.

Impact Summary CVE-2021-30556

Category: Use After Free
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

A remote attacker, who successfully exploits the CVE-2021-30557 by causing heap corruption in TabGroups via a crafted HTML page, could execute arbitrary code and gain full control of the system.

Impact Summary CVE-2021-30557

Category: Use After Free
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Solution (Update)

To defend against possible attacks due to these vulnerabilities, Google Chrome needs to be updated to the stable version 91.0.4472.114.

Normally, Chrome updates in the background when it is closed and reopened. However, if it has not been closed for a while, there might be pending updates. To check for pending updates, you can click More (Three vertical dots) on the top right of the Chrome browser.

Figure 1: Google Chrome Update Version 91.0.4472.114
Quote by David Bernstein
Quote by David Bernstein

For every lock, there is someone out there trying to pick it or break in.

David Bernstein

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

References to Advisories, Solutions and Tools

References to Previous Google Chrome Vulnerabilities

  • Zero-Day Vulnerability Actively Exploited in Google Chrome (CVE-2021-30551)
  • Multiple Security Vulnerabilities Patched in Google Chrome – Including a Zero-Day (CVE-2021-21166)
  • Zero-Day Vulnerability in Google Chrome (CVE-2021-21148)

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?