Google Chrome Zero-day Type confusion Vulnerability

The sixth zero day of Google Chrome was talk of the town during the June 2021 Patch Tuesday. The earlier 5 zero days were:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021

Google states that they are “aware that an exploit for CVE-2021-30551 exists in the wild.” The Stable channel has been updated to 91.0.4472.101 for Windows, Mac and Linux, which will roll out over the coming days/weeks. Details regarding this fixed zero-day vulnerability is very limited, except that it is a Type Confusion bug in V8 -Google’s open-source and C++ WebAssembly and JavaScript engine.

The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.

Affected products

Google Chrome prior to 91.0.4472.101

Mitigation

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with 1 zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.

One can perform a manual update by going to Settings > Help > About Google Chrome.

Qualys Detection

Qualys customers can scan their network with QID 375622 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.

References and Sources

https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop.html

https://www.bleepingcomputer.com/news/security/google-fixes-sixth-chrome-zero-day-exploited-in-the-wild-this-year/

https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/

Leave a Reply

Your email address will not be published. Required fields are marked *