Chrome Browser Bug Under Active Attack – Update your chrome now

Reading Time: 1 Minute

In all, Google rolled out fixes for 14 bugs impacting its Windows, Mac and Linux browsers as part of its June update to the Chrome desktop browser.

“Google is aware that an exploit for CVE-2021-30551 exists in the wild,” wrote Chrome technical program manager Prudhvikumar Bommana in a Wednesday post. That exploit is identified as a type confusion bug within Google’s V8 open-source JavaScript and WebAssembly engine.

The confusion vulnerability is tied to the browser’s ActionScript Virtual Machine. “Usually, when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion,” according to a technical description of the bug.

Possible Wider Impact of Exploited Chrome Browser Bug

The update coincides with the release of the Android Chrome browser to Chrome 91 (91.0.4472.101), also on Wednesday. While the desktop and mobile versions of the Chrome web browser share the same version number, it is unclear if the updated Android Chrome browser is impacted by the same vulnerabilities.

Also unclear is if Microsoft’s Edge browser, based on the Chromium open-source browser codebase (principally developed and maintained by Google), is also impacted.

See Also: RockYou2021: largest password compilation of all time leaked online – 8.4 billion entries

In related news, on Tuesday, Microsoft released a patch for vulnerabilities under active attack, including CVE-2021-33742, impacting its Edge browser. That bug is a remote-code execution (RCE) vulnerability within the Edge browser’s MSHTML component.

“The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control,” Microsoft explained.

Critical Browser Cache Bug: CVE-2021-30544

As part of the June Chrome update, Google patched a critical use-after-free bug (CVE-2021-30544) within the browser’s optimization engine called BFCache. This browser component enables back-and-forward navigation between cached webpages within Chrome.

As customary with recently disclosed bugs, Google did not release the details tied to any of the vulnerabilities patched Wednesday. “Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” the Google advisory stated.

See Also: Offensive Security Tool: Pacu – The Amazon Web Services Exploitation Framework

Google credits Rong Jian and Guang Gong of 360 Alpha Lab for finding the BFCache bug in May. For their bug hunting efforts, the pair earned $25,000.

See Also: Jeff Moss, aka Dark Tangent, the person who founded DEF CON and Black Hat

Source: threatpost.com

(Click Link)