[BreachExchange] Chrome update addresses seven high-severity vulnerabilities
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Mon Aug 23 09:43:06 EDT 2021
https://www.computing.co.uk/news/4036121/chrome-update-addresses-seven-severity-vulnerabilities
Bug details 'may be kept restricted until a majority of users are updated
with a fix'
Google has pushed out an urgent update to address seven severe security
flaws in the Chrome browser, which hackers could use to take control of an
affected system.
Google Chrome technical programme manager Srinivas Sista said Google has
updated Chrome's stable channel to 92.0.4515.159 for Windows, Mac and
Linux, which will roll out over the coming days/weeks.
The update includes fixes for nine security bugs in total, of which seven
were discovered by external researchers.
Sista revealed very little information about the vulnerabilities, saying
that access to bug details "may be kept restricted until a majority of
users are updated with a fix."
Sista added, "We will also retain restrictions if the bug exists in a third
party library that other projects similarly depend on, but haven't yet
fixed."
The USA's Cybersecurity and Infrastructure Security Agency (CISA) said one
of the bugs could enable a threat actor 'to take control of an affected
system'.
A hacker could use this access to steal bank details, use emails to
propagate malware, or encrypt important files until a ransom is paid.
The seven serious bugs have the following CVE identification numbers and
details:
- CVE-2021-30598: Type Confusion in V8; high in severity; reported by
Manfred Paul
- CVE-2021-30599: Type Confusion in V8; high in severity; reported by
Manfred Paul
- CVE-2021-30600: Use after free in Printing; high in severity; reported
by Leecraso and Guang Gong of 360 Alpha Lab
- CVE-2021-30601: Use after free in Extensions API; high in severity;
reported by koocola(@alo_cook) and Nan Wang(@eternalsakura13) of 360 Alpha
Lab
- CVE-2021-30602: Use after free in WebRTC; high in severity; reported
by Marcin Towalski of Cisco Talos
- CVE-2021-30603: Race in WebAudio; high in severity; reported by Sergei
Glazunov of Google Project Zero
- CVE-2021-30604: Use after free in ANGLE; high in severity; reported by
Seong-Hwan Park (SeHwa) of SecunologyLab
V8 is Google's open-source and JavaScript engine. Chrome and other browsers
based on the Chromium project, including Microsoft Edge, Brave, Opera and
Vivaldi, all use it.
WebRTC (Web real-time communications) is the technology that enables
transferring video and audio streaming data between mobile apps and
browsers.
ANGLE (Almost Native Graphics Layer Engine) is Google's open source,
cross-platform graphics engine abstraction layer.
Google says it paid Manfred Paul a $21,000 bounty reward for both of the
two bugs he reported, while 360 Alpha Lab researchers claimed a $20,000
bounty payment for each flaw they found.
CISA urged users to keep Chrome up-to-date at all times, to combat emerging
threats.
Chrome users can check for updates by navigating to Help > About Google
Chrome to check their Chrome browser version. If the version is listed as
92.0.4515.159 or above, they don't need to take any further action.
If not, the About screen should prompt the user to update their browser.
Once the update has downloaded, the user must restart the browser for the
protection to start working.
More than two billion people use Chrome worldwide, and it is one of
cybercriminals' prime targets.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210823/d2bf40f1/attachment.html>
More information about the BreachExchange
mailing list