Update Chrome now, it has a zero-day exploit
We’re much more used to security flaws now after years of being conditioned to hearing about them from various sources. Some software makers handle vulnerabilities better than others of course, but remember, software is inherently complicated and it’s being written by flawed humans so mistakes are inevitable.
Today Sergei Glazunov of Google Project Zero reports on a new flaw in Google Chrome, the sixth zero-day affecting the browser this year. Very little information has been released on the vulnerability, but from what we can learn it seems to be in the Javascript engine that powers Chrome.
If you aren’t familiar, zero-day, is a flaw found after it has been exploited in the wild, meaning you’re vulnerable right away.
Flaws like this are sometimes lucrative as many companies issue bounties if you report one. In this case, it netted the finder $25,000.
There are a number of flaws being patched alongside the zero-day and you can view the list here, alongside the bounty amounts paid for each.
[$25000][1212618] Critical CVE-2021-30544: Use after free in BFCache. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-05-24
[$20000][1201031] High CVE-2021-30545: Use after free in Extensions. Reported by kkwon with everpall and kkomdal on 2021-04-21
[$NA][1206911] High CVE-2021-30546: Use after free in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-05-08
[$TBD][1210414] High CVE-2021-30547: Out of bounds write in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2021-05-18
[$TBD][1210487] High CVE-2021-30548: Use after free in Loader. Reported by Yangkang(@dnpushme) & Wanglu of Qihoo360 Qex Team on 2021-05-18
[$TBD][1212498] High CVE-2021-30549: Use after free in Spell check. Reported by David Erceg on 2021-05-23
[$TBD][1212500] High CVE-2021-30550: Use after free in Accessibility. Reported by David Erceg on 2021-05-23
[$NA][1216437] High CVE-2021-30551: Type Confusion in V8. Reported by Clement Lecigne of Google's Threat Analysis Group and Sergei Glazunov of Google Project Zero on 2021-06-04
[$TBD][1200679] Medium CVE-2021-30552: Use after free in Extensions. Reported by David Erceg on 2021-04-20
[$TBD][1209769] Medium CVE-2021-30553: Use after free in Network service. Reported by Anonymous on 2021-05-17
If you aren’t sure if your browser is up-to-date, fire up Chrome and visit Settings > About Google Chrome and let the browser update itself. We recommend doing this at your earliest opportunity.
Image credit: Profit_Image / Shutterstock