Security news that informs and inspires

Google Fixes High-Severity Chrome Zero Day

Google has issued fixes for five security flaws, including a high-severity bug that is being actively exploited by attackers. The fixes are part of a Monday update of the Stable channel to version 96.0.4664.110 for Windows, Mac and Linux.

The zero-day vulnerability (CVE-2021-4102) exists in the open-source V8 Javascript engine, which was developed by the Chromium Project for the Chrome and Chromium web browsers. The vulnerability is a use-after-free flaw, which is a type of issue that occurs when an application continues to use a pointer after it has been freed, causing the program to crash and potentially allowing for arbitrary code to be executed. Previously, other zero-day vulnerabilities have been uncovered in the web engine, including CVE-2021-38003, an inappropriate implementation error, and CVE-2021-38001, a type-confusion bug.

“Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild,” according to the security advisory. As is standard for Chrome security advisories, bug details are not being released until a “majority of users are updated with a fix.” Google was alerted to the flaw by an anonymous reporter on Dec. 9.

Other vulnerabilities addressed in the Chrome update include a critical-severity, insufficient data validation issue in Mojo (CVE-2021-4098). According to Chromium, Mojo is a communication framework that facilitates the passing of messages across arbitrary inter- and intra-process boundaries. Other high-severity Google Chrome vulnerabilities include a use-after-free (CVE-2021-4099) bug and heap buffer overflow (CVE-2021-4101) flaw in the Swiftshader software 3D renderer, as well as an object lifecycle issue (CVE-2021-4100) in ANGLE, an open-source, cross-platform graphics engine abstraction layer.

This latest actively exploited flaw brings Google Chrome’s tally to 17 zero-day bugs discovered so far this year, including including two high-severity bugs fixed in October and a use-after-free zero-day vulnerability in the WebGL component of Chromium, which was patched in June (CVE-2021-30554). That amount exceeds the total number from previous years, including the eight zero-day vulnerabilities that were discovered in 2020, according to a spreadsheet maintained by Google researchers.