GOOGLE CHROME ZERO-DAY TYPE CONFUSION VULNERABILITY

Priority: High

Summary:

A critical vulnerability was found in Google Chrome (Web Browser) stemming from a type confusion issue in its V8 open-source engine which leads to a privilege escalation vulnerability and impacts confidentiality, integrity and availability. Tracked as CVE-2021-30551, the vulnerability was discovered by Sergei Glazunov from Google Project Zero. The exploitation is known to be easy to execute and may be launched remotely requiring no form of authentication although successful exploitation requires user interaction by the victim.

Background:

This is the sixth zero-day vulnerability of Google Chrome identified in 2021, the previous 5 being:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021

Shane Huntley, Director of Google’s Threat Analysis Group said that the new CVE-2021-30551 vulnerability was exploited by the same threat actor that leveraged CVE-2021-33742. The latter is an actively exploited remote code execution bug in the Windows MSHTML platform, recently addressed by Microsoft in its Patch Tuesday update on June 8. According to security researchers, it seems that the two zero-day vulnerabilities have been developed by a commercial exploit broker for a nation-state actor. The latter utilised the zero-days in limited attacks against targets in Eastern Europe and the Middle East.

Detect:

ITC Qualys customer’s networks can be scanned using QID 375622 to detect vulnerable assets.

You can also manually verify the version of your Chrome browser by following these steps:

Chrome

  • Click on the Menu icon in the upper right corner of the screen.
  • Click on Help, and then About Google Chrome.

Affected Products:

Google Chrome browser prior to version 91.0.4472.101

Prevent:

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, including 1 zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.

Chrome users can perform a manual update by going to Settings > Help > About Google Chrome.

React:

IT administrators should ensure that all Google Chrome and Chromium-based Microsoft Edge browsers are updated to the latest version.

Sources:

[1] https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html

[2] https://www.bleepingcomputer.com/news/security/google-fixes-sixth-chrome-zero-day-exploited-in-the-wild-this-year/

[3] https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/