Google patches 8th Chrome zero-day exploited in the wild this year

Google has released Chrome 91.0.4472.164 for Windows, Mac, and Linux to fix seven security vulnerabilities, one of them a high severity zero-day vulnerability exploited in the wild.

“Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild,” the company revealed.

The new Chrome release has started rolling out worldwide to the Stable desktop channel and will become available to all users over the following days.

Google Chrome will automatically update itself on the next launch, but you can also manually update it by checking for the newly released version from Settings > Help > ‘About Google Chrome.’

Eighth exploited zero-day patched this year

The zero-day patched on Thursday and reported by Google Project Zero’s Sergei Glazunov is described as a type confusion bug in V8, Google’s open-source C++-based and high-performance WebAssembly and JavaScript engine.

Even though type confusion weaknesses would generally lead to browser crashes following successful exploitation by reading or writing memory out of the bounds of the buffer, they can also be exploited by threat actors to execute arbitrary code on devices running vulnerable software.

While Google said that it is aware of CVE-2021-30563 in the wild exploitation, it did not share info regarding these attacks to allow the security update to deploy on as many systems as possible before more threat actors start actively abusing.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google said.

“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

In all, Google has patched eight Chrome zero-day bugs exploited by attackers in the wild since the start of 2021. Besides CVE-2021-30563, the company previously addressed:

• CVE-2021-21148 – February 4th, 2021
• CVE-2021-21166 – March 2nd, 2021
• CVE-2021-21193 – March 12th, 2021
• CVE-2021-21220 – April 13th, 2021
• CVE-2021-21224 – April 20th, 2021
• CVE-2021-30551 – June 9th, 2021
• CVE-2021-30554 – June 17th, 2021

More details on previously patched Chrome zero-days

The Google Threat Analysis Group (TAG) has shared additional details earlier this week regarding in-the-wild exploitation of CVE-2021-21166 and CVE-2021-30551 Chrome zero-days.

“Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world,” Google said.

On Thursday, Microsoft and Citizen Lab linked the vendor mentioned in Google TAG’s report to Israeli spyware vendor Candiru

Threat actors deployed the surveillance vendor’s spyware to infect iOS, Android, macOS, and Windows devices using Chrome zero-days and Windows unpatched flaws.

Microsoft researchers found that Candiru’s malware was used to compromise the systems of “politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.”

In all, Microsoft said it discovered “at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore.”