Attention readers, if you are using Google Chrome browser on your Windows, Mac, or Linux computers, you need to update it immediately to the latest version Google released earlier today.
Google on Wednesday rolled out an urgent update for Chrome browser to address 14 newly discovered security issues, including a zero-day flaw that it says is being actively exploited in the wild.
Tracked as CVE-2021-30551, the vulnerability stems from a type confusion issue in its V8 open-source and JavaScript engine. Sergei Glazunov of Google Project Zero has been credited with discovering and reporting the flaw.
Although the search giant's Chrome team issued a terse statement acknowledging "an exploit for CVE-2021-30551 exists in the wild," Shane Huntley, Director of Google's Threat Analysis Group, hinted that the vulnerability was leveraged by the same actor that abused CVE-2021-33742, an actively exploited remote code execution flaw in Windows MSHTML platform that was addressed by Microsoft as part of its Patch Tuesday update on June 8.
The two zero-days are said to have been provided by a commercial exploit broker to a nation-state actor, which used them in limited attacks against targets in Eastern Europe and the Middle East, Huntley said.
More technical details about the nature of the attacks are to be released in the coming weeks so as to allow a majority of the users to install the update and prevent other threat actors from creating exploits targeting the flaw.
With the latest fix, Google has addressed a total of seven zero-days in Chrome since the start of the year —
- CVE-2021-21148 - Heap buffer overflow in V8
- CVE-2021-21166 - Object recycle issue in audio
- CVE-2021-21193 - Use-after-free in Blink
- CVE-2021-21206 - Use-after-free in Blink
- CVE-2021-21220 - Insufficient validation of untrusted input in V8 for x86_64
- CVE-2021-21224 - Type confusion in V8
Chrome users can update to the latest version (91.0.4472.101) by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.