Just a week ago, Google rolled out an incremental update to the Chrome Desktop browser that contained a variety of crucial security updates. In that update, the Chrome developer team revealed that one of the vulnerabilities had been actively exploited in the wild. When this happens, it is referred to as a Zero-Day exploit as the software developers were unaware of the weakness prior to the attack. The latest update to the Chrome browser includes only 4 security patches but each of the four is marked “high” which means that they are critical updates. One of the patches does include a fix for a vulnerability that Google has confirmed has been exploited in the wild.
The bug, CVE-2021-30554, was reported by an anonymous source and the bounty for the find is yet to be determined. Google declined to give details on how exactly the bug was exploited. That is likely to give users ample time to get the browser updated to prevent any further attacks. This particular bug is related to WebGL and has been identified as a “user after free” vulnerability. What does that mean? Here’s a brief explanation of what that means.
Use After Free specifically refers to the attempt to access memory after it has been freed, which can cause a program to crash or, in the case of a Use-After-Free flaw, can potentially result in the execution of arbitrary code or even enable full remote code execution capabilities.Webopedia
Needless to say, it is probably a good idea to go ahead and make sure your Chrome browser is up to date. The latest version that includes the fix for this bug is 91.0.4472.114. If you are using Chrome on Windows, Linux, or macOS, you will want to head to the about Chrome section in the settings menu and check for an update. If my math is correct, this is the seventh known zero-day exploit for the Chrome browser this year. Thankfully, it appears that it was discovered and patched very quickly. Below you can find the four security patches and their corresponding CVE assignment.
- [$TBD] High CVE-2021-30554: Use after free in WebGL. Reported by anonymous on 2021-06-15
- [$10000] High CVE-2021-30555: Use after free in Sharing. Reported by David Erceg on 2021-06-01
- [$7500] High CVE-2021-30556: Use after free in WebAudio. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-24
- [$10000] High CVE-2021-30557: Use after free in TabGroups. Reported by David Erceg on 2021-04-23
Source: Chrome Release