Same Zero Days, New Target: Chrome

If you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version Google released June 9^th.

The internet services company has rolled out an urgent update to the browser to address 14 newly discovered security issues, including a zero-day flaw that it says is being actively exploited in the wild.

Tracked as CVE-2021-30551, the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine.

At the Sentinel Cybershield SOC, the update was picked up by our patch inventory as critical, and upon testing was recommended to all constituents’ to implement it as a non-removable patch:

Although the search giant’s Chrome team issued a terse statement acknowledging “an exploit for CVE-2021-30551 exists in the wild,” Shane Huntley, Director of Google’s Threat Analysis Group, hinted that the vulnerability was leveraged by the same actor that abused CVE-2021-33742, an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its Patch Tuesday update on June 8.

The two zero-days are said to have been provided by a commercial exploit broker to a nation-state actor, which used them in limited attacks against targets in Eastern Europe and the Middle East.

With the latest fix, Google has addressed a total of seven zero-days in Chrome since the start of the year —

• CVE-2021-21148 – Heap buffer overflow in V8
• CVE-2021-21166 – Object recycle issue in audio
• CVE-2021-21193 – Use-after-free in Blink
• CVE-2021-21206 – Use-after-free in Blink
• CVE-2021-21220 – Insufficient validation of untrusted input in V8 for x86_64
• CVE-2021-21224 – Type confusion in V8

Chrome users can update to the latest version (91.0.4472.101) by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.