Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Google Patches Chrome Zero-Day Used by Commercial Exploit Company

Google this week released patches for 14 vulnerabilities in the Chrome browser, including a security flaw that has been exploited in the wild.

Ten of the issues were reported by external security researchers: one rated critical severity, seven high severity, and two medium severity. All are patched in Chrome 91.0.4472.101 for Windows, Mac and Linux.

Google this week released patches for 14 vulnerabilities in the Chrome browser, including a security flaw that has been exploited in the wild.

Ten of the issues were reported by external security researchers: one rated critical severity, seven high severity, and two medium severity. All are patched in Chrome 91.0.4472.101 for Windows, Mac and Linux.

The most severe of these is CVE-2021-30544, a critical use-after-free bug that impacts BFCache, a browser optimization meant to enable instant back and forward navigation between cached pages. The feature was introduced in February 2019.

The critical security hole was reported by Rong Jian and Guang Gong of 360 Alpha Lab, who received a $25,000 bug bounty reward for the finding.

Of the seven high-severity issues patched this week, six are use-after-free flaws in Extensions, Autofill, Loader, Spell check, Accessibility, and V8, while the seventh is an out-of-bounds write bug in ANGLE.

According to the Internet giant, the vulnerability in V8, which is tracked as CVE-2021-30551, is already being exploited in attacks.

“Google is aware that an exploit for CVE-2021-30551 exists in the wild,” the company said, without providing further technical details.

On Twitter, Shane Huntley, director of Google’s Threat Analysis Group, revealed that the exploit for CVE-2021-30551 has been created by a “commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting.”

The same organization has developed an exploit for CVE-2021-33742, a critical remote code execution issue in the Windows MSHTML platform, Huntley explains.

Microsoft this week released patches for this flaw and five other actively exploited security vulnerabilities in its products.

Since the beginning of 2021, Google addressed a total of six zero-day vulnerabilities in Chrome. In addition to CVE-2021-30551, the other five are CVE-2021-21148, CVE-2021-21166, CVE-2021-21193, CVE-2021-21220, and CVE-2021-21224.

Related: Google Patches 32 Vulnerabilities With Release of Chrome 91

Related: Google Patches 19 Vulnerabilities With Chrome 90 Update

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.