Google actively closes attacked zero-day leak in Chrome again

 For the second time this month and the seventh time this year, Google has released a security update for an actively attacked zero-day vulnerability in Chrome. The vulnerability, designated CVE-2021-30554, resides in WebGL, a JavaScript API that Chrome and other browsers use to render 2D and 3D content in the browser.

The impact of the vulnerability has been rated "high". This case concerns leaks that allow an attacker to execute code within the context of the browser. It is then possible, for example, to read or adjust data from other websites. Vulnerabilities to escape from the Chrome sandbox are also included. The vulnerability in itself is not sufficient to take over a system. This would require a second vulnerability, for example in the underlying operating system.

Details about the observed attacks, such as the number of victims, when the attacks took place and how, were not provided by Google. Last week, antivirus company Kaspersky reported that another zero-day vulnerability in Chrome has recently been used in attacks against several companies. The now-fixed vulnerability was reported to Google by an anonymous security researcher on June 15.

Users are advised to update to Google Chrome 91.0.4472.114 , which is available for Linux, macOS, and Windows. This will happen automatically on most systems. Microsoft Edge Chromium, like Chrome, is based on the Chromium browser. It is expected that Microsoft will soon come up with an update for its own browser.

Below is an overview of the seven zero-day vulnerabilities in Google Chrome and when they were fixed. It was recently revealed that Google has registered a record number of zero days this year .

  • CVE-2021-21148 - 4 February
  • CVE-2021-21166 - March 2
  • CVE-2021-21193 - March 12
  • CVE-2021-21220 - 13 April
  • CVE-2021-21224 - 20 April
  • CVE-2021-30551 - 9 June
  • CVE-2021-30554 - 17 June

Previous Post Next Post