Google has addressed two zero-day security bugs that are being actively exploited in the wild.
As part of the internet giant’s latest stable channel release (version 93.0.4577.82 for Windows, Mac and Linux), it fixed 11 total vulnerabilities, all of them rated high-severity. The two zero days are tracked as CVE-2021-30632 and CVE-2021-30633.
“Google is aware that exploits for [these] exist in the wild,” the company said in its short website notice on the update, issued Monday.
Google is restricting any technical details “until a majority of users are updated with a fix,” it said. The vulnerabilities were reported anonymously, precluding any gleaning of details from the researcher who found them. Here’s what we know:
- CVE-2021-30633: Use after free in the IndexedDB API.
Out-of-bounds write flaws can result in corruption of data, a crash or code execution. Use-after-free issues can result in any number of attack types, ranging from the corruption of valid data to the execution of arbitrary code. Both bugs have TBD bug-bounty awards attached to them and were reported on Sept. 8.
“Browser bugs discovered from exploitation in the wild are among the most significant security threats,” John Bambenek, principal threat hunter at Netenrich, said via email. “Now that they are patched, exploitation will ramp up. That said, almost 20 years on and we haven’t made web browsing safe shows that the rapid embrace of technology continues to leave users exposed to criminals and nation-state actors. Everyone wants to learn how to hack, too few people are working on defense.”
The other nine bugs addressed by Google are as follows:
- CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06
- CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
- CVE-2021-30627: Type Confusion in Blink layout. Reported by Aki Helin of OUSPG on 2021-09-01
- CVE-2021-30628: Stack buffer overflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
- CVE-2021-30629: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2021-08-26
- CVE-2021-30630: Inappropriate implementation in Blink. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30
- CVE-2021-30631: Type Confusion in Blink layout. Reported by Atte Kettunen of OUSPG on 2021-09-06
Kevin Dunne, president at Pathlock, pointed out that Google has patched plenty of zero-days already this year – eight prior to the latest two, to be exact – and he said to expect more.
10th Zero-Day in 2021 for Google
“Today, Google released a patch for its tenth [and ninth] zero-day exploit of the year,” Dunne said in an email to media. “This milestone highlights the emphasis that bad actors are putting on browser exploits, with Chrome becoming a clear favorite, allowing a streamlined way to gain access to millions of devices regardless of OS.
“We expect to see continued zero-day exploits in the wild,” he added.
The other zero days discovered so far in 2021 are as follows, many of them in the V8 engine:
- CVE-2021-21148 – (February)
- CVE-2021-21166 – (March)
- CVE-2021-21193 – (March)
- CVE-2021-21220 – (April)
- CVE-2021-21224 – (April, later used in Windows attacks)
- CVE-2021-30551 – (June)
- CVE-2021-30554 – (June)
- CVE-2021-30563 – (July)
“Google’s commitment to patching these exploits quickly is commendable, as they operate Google Chrome as freeware and therefore are the sole entity who can provide these updates,” Dunne wrote. “Google is committed to providing Chrome as a free browser, as it is a critical entry point for other businesses such as Google Search and Google Workspace.”
The news comes as Apple rushed a fix for a zero-click zero-day exploit targeting iMessaging. It’s allegedly been used to illegally spy on Bahraini activists with NSO Group’s Pegasus spyware, according to researchers.
Microsoft is also expected to release its monthly Patch Tuesday set of updates today, so we’ll see if there are yet more zero-day exploits to worry about.
It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.