Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities. Among the 14 security vulnerabilities, one zero-day vulnerability was exploited in the wild and tracked as CVE-2021-30551.
Google has begun to roll out Google Chrome 91.0.4472.101 globally and will be available to all users within the next few days.
Though Google Chrome will automatically try to upgrade the browser while you open it the next time, however, you can perform a manual update by navigating to Settings > Help > About Google Chrome.
Six Chrome zero-day exploited in the wild in 2021
Some information about today’s fixed zero-day vulnerability is currently available on the web and besides this, it is one kind of confusion bug in V8, Google’s open-source and C++ WebAssembly and JavaScript engine.
The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.
Google says that they know that an exploit for CVE-2021-30551 exists in the wild.
Shane Huntley, Director of Google’s Threat Analysis Group, states that this zero-day was used by the same threat actors who used the Windows CVE-2021-33742 zero-day vulnerability which was later fixed by Microsoft.
Today’s update fixes Google Chrome’s sixth zero-day exploits in attacks this year, with five other listed below:
- CVE-2021-21148 – February 4th, 2021
- CVE-2021-21166 – March 2nd, 2021
- CVE-2021-21193 – March 12th, 2021
- CVE-2021-21220 – April 13th, 2021
- CVE-2021-21224 – April 20th, 2021
Besides this, a popular threat actor group named Puzzlemaker has been exploiting the browser’s sandbox and install the malware in Windows systems.
The threat actors are using these vulnerabilities to obtain access to the targeted system. The stager module downloads and executes a more complex malware dropper from a remote server.
As a part of the June 2021 Patch Tuesday, Microsoft released the fixes for the Windows vulnerabilities. However, Kaspersky couldn’t identify what Google Chrome vulnerabilities were used in the Puzzlemaker attacks.
Kaspersky assumes the attackers may have been utilizing the Google Chrome CVE-2021-2024 vulnerability but have not ruled out the use of further undisclosed Chrome zero-day vulnerabilities.
Are you looking for more software news? Stay tuned for the latest software news from top tech industries.