Google releases urgent Chrome update to address zero-day bug under active attack

Thirteen other bugs were also fixed in the new update

Google has released an urgent update for Chrome browser to address 14 security vulnerabilities, including a zero-day that's actively being exploited by unknown hackers.

In an online post, the company revealed that Chrome's stable channel has now been updated to 91.0.4472.101 for Windows, Mac and Linux, and it will roll out over the coming days/weeks.

Google disclosed very few details about the zero-day vulnerability fixed in the update, other than that it stems from a type confusion issue in V8, Google's open-source and JavaScript engine.

V8 is used by Chrome and other browsers, including Microsoft Edge, Brave, Opera and Vivaldi, based on the Chromium project.

The Chrome zero-day bug, indexed as CVE-2021-30551, was discovered by Sergei Glazunov of Google Project Zero. Google said it was aware of an exploit for CVE-2021-30551 existing in the wild.

In a post on Twitter, Shane Huntley, director of Google's Threat Analysis Group, indicated that the zero-day was utilised by the same actor that abused CVE-2021-33742 - another zero-day fixed on 8 June by Microsoft as part of its Patch Tuesday update.

https://twitter.com/ShaneHuntley/status/1402712986289016835?ref\\_src=twsrc%5Etfw

In a report this week, Kaspersky researchers said that they have discovered a new threat actor, dubbed PuzzleMaker, who used a chain of Google Chrome and Windows 10 zero-day exploits in targeted attacks against multiple firms worldwide.

According to Kaspersky, the zero-day exploit chain deployed by PuzzleMaker used a RCE bug in the Google Chrome V8 JavaScript engine that enabled them to access the targeted systems.

The group also used an elevation of privilege exploit to compromise the latest Windows 10 versions. To do that, they abused CVE-2021-31955 (information disclosure vulnerability in the Windows kernel) and CVE-2021-31956 (Windows NTFS privilege escalation vulnerability), which were both patched in Microsoft's June 2021 Patch Tuesday update.

Google is expected to release further details about CVE-2021-30551 in the coming weeks.

Apart from CVE-2021-33742, some other security bugs fixed in latest Chrome update are:

CVE-2021-30544: Use after free in BFCache (Critical risk)
CVE-2021-30545: Use after free in Extensions (High)
CVE-2021-30546: Use after free in Autofill (High)
CVE-2021-30547: Out of bounds write in ANGLE (High)
CVE-2021-30548: Use after free in Loader (High)
CVE-2021-30549: Use after free in Spell check (High)
CVE-2021-30550: Use after free in Accessibility (High)
CVE-2021-30552: Use after free in Extensions (Medium)
CVE-2021-30553: Use after free in Network service (Medium)

Google Chrome will automatically attempt to upgrade the browser to the latest version (91.0.4472.101), although users can also perform a manual update by going to Settings > Help > About Google Chrome.