For the umpteenth time this year, Google has rolled out an incremental update to the Chrome browser that contains a handful of security patches. Nothing out of the ordinary there but like so many updates before, this one addresses what is known as a Zero-Day exploit. In fact, the changelog for Chrome 93.0.4577.82 names two separate exploits in the wild which brings the total for 2021 into double digits.
A Zero-Day exploit is when a vulnerability of a piece of software isn’t identified until after the weakness has been exploited. It’s not uncommon for Zero Days to occur when you have software that updates as frequently as a web browser. Chrome is no exception and Google’s in-house browser has had its fair share thanks to the ever-evolving nature of the internet and the darker side of the web where unsavory types like to target unknowing users to steal personal data and attack systems.
Anyway, that’s all for your tech lesson today. Needless to say, it’s important to keep your software up to date. Not only for stability but to prevent yourself from nasty little bugs that could compromise your personal information. As you can see from the list below, some bounties were had for these security updates as part of Google’s ongoing bug bounty program for developers that report issues with Chrome. For Google’s part, it’s a small price to pay to ensure that the browser is safe for its more than two billion users.
- [$7500] High CVE-2021-30625: Use after free in Selection API. Reported by Marcin Towalski of Cisco Talos on 2021-08-06
- [$7500] High CVE-2021-30626: Out of bounds memory access in ANGLE. Reported by Jeonghoon Shin of Theori on 2021-08-18
- [$5000] High CVE-2021-30627: Type Confusion in Blink layout. Reported by Aki Helin of OUSPG on 2021-09-01
- [$TBD] High CVE-2021-30628: Stack buffer overflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-08-18
- [$TBD] High CVE-2021-30629: Use after free in Permissions. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2021-08-26
- [$TBD] High CVE-2021-30630: Inappropriate implementation in Blink . Reported by SorryMybad (@S0rryMybad) of Kunlun Lab on 2021-08-30
- [$TBD] High CVE-2021-30631: Type Confusion in Blink layout. Reported by Atte Kettunen of OUSPG on 2021-09-06
- [$TBD] High CVE-2021-30632: Out of bounds write in V8. Reported by Anonymous on 2021-09-08
- [$TBD] High CVE-2021-30633: Use after free in Indexed DB API. Reported by Anonymous on 2021-09-08
All of these bugs were listed as “high” priority so it’s a good thing that more Zero Days weren’t reported in the wild. The two that were discovered have been patched along with the other nine vulnerabilities and that is why you should drop what you’re doing and take a minute to update Chrome on any and all of your Windows, macOS, and Linux machines. To update, click the three-dot menu at the top-right of Chrome and look for “update Google Chrome.” If you don’t see it, you should be on the latest version but you can double-check by heading to the help menu and clicking the “About” tab. The latest version of Chrome with all the above fixes is 93.0.4577.82. If you’re on that version, you’re good to go. Learn more about the latest version of Chrome here.