The seventh zero-day of Google Chrome was talk of the town in mid-June 2021, two weeks after the sixth zero-day was observed in the wild. The earlier six zero-days were:
- CVE-2021-21148 – February 4th, 2021
- CVE-2021-21166 – March 2nd, 2021
- CVE-2021-21193 – March 12th, 2021
- CVE-2021-21220 – April 13th, 2021
- CVE-2021-21224 – April 20th, 2021
- CVE-2021-30551 – June 9th, 2021
Google states that they are “aware that an exploit for CVE-2021-30554 exists in the wild.” The Stable channel has been updated to 91.0.4472.114 for Windows, Mac and Linux, which will roll out over the coming days or weeks. Details regarding this fixed zero-day vulnerability is very limited, except that the it is caused by a use-after-free weakness in the WebGL (Web Graphics Library) JavaScript API used by the Chrome web browsers to render interactive 2D and 3D graphics without using plug-ins.
Affected products
Google Chrome prior to 91.0.4472.114.
Mitigation
Google has released Chrome 91.0.4472.114 for Windows, Mac, and Linux to fix the zero-day vulnerability exploited in the wild and is being tracked as CVE-2021-30554.
One can perform a manual update by going to Settings > Help > About Google Chrome.
Qualys Detection
Qualys customers can scan their network with QID 375638 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References and Sources
https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html
https://threatprotect.qualys.com/2021/06/11/google-chrome-zero-day-type-confusion-vulnerability/
