Google Chrome 91.0.4472.164 addresses seven security vulnerabilities, including a high severity zero-day flaw exploited in the wild.
Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux that addresses seven vulnerabilities, including a high severity zero-day vulnerability, tracked as CVE-2021-30563, that has been exploited in the wild.
The CVE-2021-30563 is a “type confusion” issue that affects the V8 JavaScript and WebAssembly engine.
“Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild,” reads Google’s announcement.
Type confusion issues are logical bugs that result from confusion between object types, their exploitation would lead to browser crashes due to buffer overflow, they can also potentially lead to arbitrary code execution. The flaw was discovered by Sergei Glazunov from Google Project Zero.
The IT giant did not share info about the attacks exploiting the flaw either the nature of the threat actors.
None of the issues that were fixed by Google with the new release has been rated as critical, below there is the list of flaws addressed with the release of Google Chrome 91.0.4472.164:
- [$7500][1219082] High CVE-2021-30559: Out of bounds write in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-06-11
- [$5000][1214842] High CVE-2021-30541: Use after free in V8. Reported by Richard Wheeldon on 2021-05-31
- [$N/A][1219209] High CVE-2021-30560: Use after free in Blink XSLT. Reported by Nick Wellnhofer on 2021-06-12
- [$TBD][1219630] High CVE-2021-30561: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-06-14
- [$TBD][1220078] High CVE-2021-30562: Use after free in WebSerial. Reported by Anonymous on 2021-06-15
- [$TBD][1228407] High CVE-2021-30563: Type Confusion in V8. Reported by Anonymous on 2021-07-12
- [$TBD][1221309] Medium CVE-2021-30564: Heap buffer overflow in WebXR. Reported by Ali Merchant, iQ3Connect VR Platform on 2021-06-17
This is the eighth zero-day flaw fixed by Google in the Chrome browser that was exploited by threat actors in the wild this year, the other ones are:
- CVE-2021-21148 – February 4th, 2021
- CVE-2021-21166 – March 2nd, 2021
- CVE-2021-21193 – March 12th, 2021
- CVE-2021-21220 – April 13th, 2021
- CVE-2021-21224 – April 20th, 2021
- CVE-2021-30551 – June 9th, 2021
- CVE-2021-30554 – June 17th, 2021
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Google Chrome)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Google Chrome 91.0.4472.164 addresses seven security vulnerabilities, including a high severity zero-day flaw exploited in the wild.
Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux that addresses seven vulnerabilities, including a high severity zero-day vulnerability, tracked as CVE-2021-30563, that has been exploited in the wild.
The CVE-2021-30563 is a “type confusion” issue that affects the V8 JavaScript and WebAssembly engine.
“Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild,” reads Google’s announcement.
Type confusion issues are logical bugs that result from confusion between object types, their exploitation would lead to browser crashes due to buffer overflow, they can also potentially lead to arbitrary code execution. The flaw was discovered by Sergei Glazunov from Google Project Zero.
The IT giant did not share info about the attacks exploiting the flaw either the nature of the threat actors.
None of the issues that were fixed by Google with the new release has been rated as critical, below there is the list of flaws addressed with the release of Google Chrome 91.0.4472.164:
- [$7500][1219082] High CVE-2021-30559: Out of bounds write in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-06-11
- [$5000][1214842] High CVE-2021-30541: Use after free in V8. Reported by Richard Wheeldon on 2021-05-31
- [$N/A][1219209] High CVE-2021-30560: Use after free in Blink XSLT. Reported by Nick Wellnhofer on 2021-06-12
- [$TBD][1219630] High CVE-2021-30561: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2021-06-14
- [$TBD][1220078] High CVE-2021-30562: Use after free in WebSerial. Reported by Anonymous on 2021-06-15
- [$TBD][1228407] High CVE-2021-30563: Type Confusion in V8. Reported by Anonymous on 2021-07-12
- [$TBD][1221309] Medium CVE-2021-30564: Heap buffer overflow in WebXR. Reported by Ali Merchant, iQ3Connect VR Platform on 2021-06-17
This is the eighth zero-day flaw fixed by Google in the Chrome browser that was exploited by threat actors in the wild this year, the other ones are:
- CVE-2021-21148 – February 4th, 2021
- CVE-2021-21166 – March 2nd, 2021
- CVE-2021-21193 – March 12th, 2021
- CVE-2021-21220 – April 13th, 2021
- CVE-2021-21224 – April 20th, 2021
- CVE-2021-30551 – June 9th, 2021
- CVE-2021-30554 – June 17th, 2021
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Google Chrome)