Security news that informs and inspires

Google Fixes Two Chrome Zero-Day Flaws


Google has issued fixes for eight security flaws, including two high-severity bugs that have been exploited by attackers. The fixes are part of a Thursday update of the Stable channel to version 95.0.4638.69 for Windows, Mac and Linux.

One zero-day flaw (CVE-2021-38003) exists in the open-source V8 Javascript engine and stems from “inappropriate implementation.” This vulnerability was reported on Tuesday by Clément Lecigne from Google's Threat Analysis Group (TAG) and Samuel Groß from Google Project Zero.

The second Chrome zero-day flaw (CVE-2021-38000) exists in Intents, which is a function that allows applications to communicate with each other within users’ browsers. The issue stems from an insufficient validation of untrusted input. It was reported on Sept. 15 by Clement Lecigne, Neel Mehta, and Maddie Stone with Google TAG.

“Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,” according to Google’s Thursday security advisory. Further details of vulnerabilities are not available, as Google restricts access to these specifics until “a majority of users are updated with a fix.”

Other vulnerabilities fixed in the security advisory include a use-after-free flaw found in the Chrome Sign-In function. This flaw (CVE-2021-37997) was reported on Oct. 14 by MoyunSec Vlab's Wei Yuan, who was awarded $10,000 for the find. Another use-after-free error (CVE-2021-37998) was found in Garbage Collection, a Chrome feature used by the browser to reclaim memory. The flaw was reported by Cassidy Kim of Amber Security Lab on Oct. 13, earning her $7,500.

Two flaws - a type-confusion bug in V8 (CVE-2021-38001) and a use-after-free vulnerability in Web Transport (CVE-2021-38002) - were also uncovered during the Tianfu Cup, a hacking competition that occurred in China between Oct. 16 and Oct. 17.

This week's two actively exploited flaws bring Google Chrome’s tally to 16 zero-day bugs discovered so far this year, including a use-after-free zero-day vulnerability in the WebGL component of Chromium, which was patched in June (CVE-2021-30554). That amount exceeds the total number from previous years, including the eight zero-day vulnerabilities that were discovered in 2020, according to a spreadsheet maintained by Google researchers.