Google patches actively exploited Chrome zero-days

Two more vulnerabilities in Google's web browser joined a growing list of Chrome zero-days that have been actively exploited in the wild this year.

Google pushed out patches for two Chrome zero-day vulnerabilities that are under attack, adding to a growing list of Chrome zero-days exploited this year.

In a security update late Monday, Google issued security fixes for 11 flaws total, including two zero-day vulnerabilities that have already been exploited in the wild. The first, tracked as CVE-2021-30632, is described as an "out of bounds write in V8," an open source JavaScript engine for Chrome. The second is being tracked as CVE-2021-30633 and affects the "use after free indexed DB application programming interface (API)."

Both bugs were reported anonymously on Sept. 8. The bounties were not revealed.

"Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild," the update said.

Google did not provide any additional information on the extent of exploitation.

The discovery of these two bugs marked 11 actively exploited flaws found in Chrome this year alone.

It started in February with CVE-2021-21148, which, according to Mitre, "allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page" like many of the flaws on the list. In March, two zero-days in Chrome were documented, CVE-2021-21166 and CVE-2021-21193.

The following month recorded the highest amount, with three flaws uncovered: CVE-2021-21206, CVE-2021-21220 and CVE-2021-21224. CVE-2021-21206 concerned a "use after free in Blink" while CVE-2021-21220 was an "insufficient validation of untrusted input in V8."

Then in June, Google disclosed CVE-2021-30554, described as a "use after free in WebGL" and CVE-2021-30551, which impacted "type confusion in V8." An actively exploited flaw tracked as CVE-2021-30563, which could allow a remote attacker to gain system control, was patched in July.

According to Google's update Monday, version 93.0.45577.82 for Windows, Mac and Linux will roll out over the next comings days or weeks.   

Kevin Dunne, president of unified access provider Pathlock, said the string of Chrome exploits is a milestone and demonstrates the emphasis that bad actors are putting on browser exploits, with Chrome becoming a clear favorite. "It allows a streamlined way to gain access to millions of devices regardless of OS," Dunne said in an email to SearchSecurity.

John Bambenek, principal threat hunter at NetEnrich, told SearchSecurity that browser bugs discovered from exploitation in the wild are among the most significant security threats. Now that they are patched, he said, exploitation will likely ramp up.

"That said, almost two decades on and we haven't made web browsing safe shows that the rapid embrace of technology continues to leave users exposed to criminals and nation-state actors. Everyone wants to learn how to hack, however, not enough people are working on defense," Bambenek said in an email to SearchSecurity.

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing