Information Surrounding The Vulnerabilities
Google is known for touting the security of their products, as is with the Chromium security team responsible for the cybersecurity of The Chromium Projects. The Google Chrome browser is not an insecure browser by any means and is being constantly developed to high standards. However, in this instance reported on July 17th, 2021 multiple vulnerabilities were found in Google Chrome that range from high to critical levels of severity. Of the seven vulnerabilities, five are a cause for serious concern. Security researchers and developers have uncovered the following information about what these specific vulnerabilities lead to. Furthermore, information about the critical zero-day vulnerability has also been released;
An attacker can remotely control a target system The attacker can execute arbitrary code on that system The attacker orchestrates the attack by creating a fake web page Allow an attacker to compromise a user’s system after visiting the fake web page Give an attacker full access to the vulnerable system
The Official List of Vulnerability Codes
The official CVE ID codes (Common Vulnerabilities and Exposures) for the vulnerabilities are as follows with the respective risk factor;
CVE-2021-30563 (Critical Risk Zero-Day Flaw) CVE-2021-30559 (High Risk) CVE-2021-30561 (High Risk) CVE-2021-30541 (High Risk) CVE-2021-30560 (High Risk)
Critical Vulnerability Still at Large
Among the multiple vulnerabilities listed above, one of them is critical and is still being exploited actively in the wild. Specifically, this is vulnerability CVE-2021-30563. This vulnerability type is ‘Confusion’ and has been discovered by Sergei Glazunov (Google Project Zero). Like the others, it allows a remote attacker to execute arbitrary code on the target system via a Google Chrome security hole but is different in that it is an error within the V8 component in Google Chrome. The V8 component is Google’s own WebAssembly and JavaScript engine. Google’s Chrome Releases blog states the following; “Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild.” This is the eighth critical vulnerability patched by Google in their Chrome browser this year.
Arch Linux Have Also Reported Vulnerabilities
Arch Linux has reported that they have also been cross-affected by the ‘Chromium arbitrary code execution’ and ‘Vivaldi arbitrary code execution’ issues.
Google And Arch Linux Release Patches For The Vulnerabilities
To mitigate the vulnerabilities, Google has rolled out a ‘Stable channel’ update for desktop, bringing it up to version 91.0.4472.164. According to the Chrome Releases web page, “The Stable channel has been updated to 91.0.4472.164 for Windows, Mac, and Linux which will roll out over the coming days/weeks.” For now, it is recommended that all users update to the updated version 91.0.4472.164 of Google Chrome for their respective operating system to protect from the consequences of the vulnerabilities.