Google has addressed 2 zero-day security bugs that are being actively exploited in the wild.
The security vulnerabilities bring the web giant up to 10 browser zero-days found so far in 2021.
As part of the internet giant’s latest stable channel release (version 93.0.4577.82 for Windows, Mac and Linux), it fixed 11 total vulnerabilities, all of them rated high severity. The 2 zero days are tracked as CVE-2021-30632 and CVE-2021-30633.
Technical Details
“Google is aware that exploits for these exist in the wild,” the company stated in its short website notice on the update, issued Mon.
Google is restricting any technical details “until a majority of users are updated with a fix,” it outlined. The vulnerabilities were reported anonymously, precluding any gleaning of details from the researcher who found them. Here’s what we know:
- CVE-2021-30632: Out of bounds write in V8 JavaScript Engine; &
- CVE-2021-30633: Use after free in the Indexed DB API.
Write Flaws
Out-of-bounds write flaws can result in corruption of data, a crash or code execution. Use-after-free issues can result in any number of attack types, ranging from the corruption of valid data to the execution of arbitrary code. Both bugs have TBD bug-bounty awards attached to them & were reported on Sept. 8.
V8 is Google’s open-source, high-performance JavaScript & Web Assembly engine for Chrome & Chromium-based browsers. It translates JavaScript code into a more efficient machine code instead of using an interpreter, which speeds up the web browser. Since this vulnerable component is not specific to Google Chrome, it’s a good bet that other browsers are affected by the bug as well.
NoSQL Databases
Indexed DB, meantime, allows users to persistently store large amounts of structured data client-side, inside their browsers. The API is a JavaScript application programming interface provided by web browsers for managing these NoSQL databases. It’s a standard maintained by the World Wide Web Consortium.
“Browser bugs discovered from exploitation in the wild are among the most significant security threats,” John Bambenek, Principal Threat Hunter at Netenrich, explained.
“Now that they are patched, exploitation will ramp up. That said, almost 20 years on and we haven’t made web browsing safe shows that the rapid embrace of technology continues to leave users exposed to criminals & nation-state actors. Everyone wants to learn how to hack, too few people are working on defence.”
9 Bugs
The other 9 bugs addressed by Google are as follows:
- CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06
- CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
- CVE-2021-30627: Type Confusion in Blink layout. Reported by Aki Helin of OUSPG on 2021-09-01
- CVE-2021-30628: Stack buffer overflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
- CVE-2021-30629: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2021-08-26
- CVE-2021-30630: Inappropriate implementation in Blink. Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30
- CVE-2021-30631: Type Confusion in Blink layout. Reported by Atte Kettunen of OUSPG on 2021-09-06
Kevin Dunne, President at Pathlock, pointed out that Google has patched many zero-days already this year – 8 prior to the latest 2, & he cautioned to expect more.
10th Google Zero-Day This Year
“Today, Google released a patch for its 10th & 9th zero-day exploit of the year,” Dunne explained in an email.
“This milestone highlights the emphasis that bad actors are putting on browser exploits, with Chrome becoming a clear favourite, allowing a streamlined way to gain access to millions of devices regardless of OS.
“We expect to see continued zero-day exploits in the wild,” he added.
Other Zero Days
The other zero days discovered so far in 2021 are as follows, many of them in the V8 engine:
- CVE-2021-21148 – (Feb.)
- CVE-2021-21166 – (March)
- CVE-2021-21193 – (March)
- CVE-2021-21220 – (April)
- CVE-2021-21224 – (April, later used in Windows attacks)
- CVE-2021-30551 – (June)
- CVE-2021-30554 – (June)
- CVE-2021-30563 – (July)
Sole Entity
“Google’s commitment to patching these exploits quickly is commendable, as they operate Google Chrome as freeware & therefore are the sole entity who can provide these updates,” Dunne wrote.
“Google is committed to providing Chrome as a free browser, as it is a critical entry point for other businesses such as Google Search and Google Workspace.”
Zero-Click Zero-Day
The news comes as Apple rushed a fix for a zero-click zero-day exploit targeting iMessaging. It’s allegedly been used to illegally spy on Bahraini activists with NSO Group’s Pegasus spyware, according to researchers.
Microsoft is also expected to release its monthly Patch Tues. set of updates today, so it will be apparent if there are yet more zero-day exploits to be concerned about.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/