Register now for better personalized quote!

Google fixes two high-severity zero-day flaws in Chrome

Oct, 29, 2021 Hi-network.com

It's time to update Chrome and once again, for the third month in a row, Google has fixed two previously unknown 'zero-day' bugs in the world's most popular desktop browser.

Google disclosed that it had patched the two high-severity zero-day flaws in release notes for the stable release of Chrome version 95.0.4638.69 for Windows, Mac and Linux. Any version number higher than that will have the fixes.

Recommends

  • Best VPN services
  • Best security keys
  • Best antivirus software
  • The fastest VPNs

It's a good idea to check out Google's support page for Chrome updates, which explains how Chrome can be set to automatically update when patches become available. Otherwise, Chrome has an 'Update' button that is coloured red if an update is at least a week old, indicating that it should be installed.

SEE:This new ransomware encrypts your data and makes some nasty threats, too

The two zero-day flaws -- which are being exploited by attackers now -- are being tracked with the identifiers CVE-2021-38000 and CVE-2021-38003. Both were found by Google's Threat Analysis Group (TAG), which tracks state-sponsored and cyber-criminal exploit activity. 

The second of the two zero-days was also reported by Samuel Gro? from Google Project Zero on 26 October, indicating how fast Google is responding to zero-day discoveries.

CVE-2021-38000 is a design flaw due to "insufficient validation of untrusted input in Intents". It was reported by TAG on September 15.

CVE-2021-38003 -- a memory corruption flaw, according to Google Project Zero's zero-day tracker -- is described vaguely as "inappropriate implementation in V8". V8 is Chrome's powerful JavaScript engine that Gro? hopes to shore up with additional sandboxing protections. As he noted in his proposal, V8 bugs allow attackers to create "unusually powerful exploits" that are hard to mitigate with existing security technologies.

"Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild," Google said in release notes. The update will roll out over the coming days or weeks, according to Google. 

There are eight, mostly memory-related, security fixes in this Chrome update. The currently listed high-severity flaws include a use-after-free in Sign-in, another use-after-free in Chrome's garbage collection, insufficient data validation in Chrome's New Tab page, a type confusion in V8, and a use-after-free in Web Transport.

SEE:Cloud security in 2021: A business guide to essential tools and best practices

This Chrome release marks the 14th zero-day flaw Google has patched in Chrome this year. The 10th was in mid-September when it patched two zero-days. It patched two more zero-days at the end of September and a further two on Thursday.

Google hasn't attributed the exploits to any hacking group. 

That Google has patched an unusually high number of zero-day flaws in Chrome in 2021 could be interpreted in several ways. The more that get discovered and the quicker they're fixed via updates is good for end-users. Once patched, the exploit is less valuable. This could mean defenders are getting better at spotting zero-days.

On the other hand, Google Project Zero has seen an uptick in zero-days affecting major platforms like Chrome, Windows, and iOS in the past year. The reason for that could be the commercialisation of the zero-day exploit market, providing a shortcut to the acquisition of exploits that otherwise require skills to develop.

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next
  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.