An October 28th, 2021 report released on Chrome Releases lists a total of seven high-risk vulnerabilities affecting the browser, two of which are being actively exploited by malicious threat actors. The Chrome browser has been seemingly full of security holes this year (such as remote code execution and use-after-free instances), pushing developers to release fixes that patch potentially dangerous zero days to protect Chrome‘s two billion-strong user base.
Multiple Software Vulnerabilities
The following are the Common Vulnerabilities Database ID codes for all the vulnerabilities in Google’s report;
CVE-2021-37997 CVE-2021-37998 CVE-2021-37999 CVE-2021-38000 CVE-2021-38001 CVE-2021-38002 CVE-2021-38003
The Key Software Vulnerabilities
Two of the above vulnerabilities, namely 38000 and 38003 are of significant concern because they have been confirmed as exploited by malicious threat actors. Flaws were found in the ‘V8‘ component in Chrome as well as a flaw in ‘Intents.’ The report on Chrome Releases states that, “Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild.”
Technical Analysis of The Key Vulnerabilities
CVE-2021-38000 – is a software vulnerability classified as high risk, type: exposed dangerous method or function. The vulnerability allows a remote attacker to compromise an affected system that is not updated. The vulnerability exists due to insufficient validation of untrusted input in Intents, in Google Chrome. CVE-2021-38003 – is a software vulnerability classified as high risk, type: improperly implemented security check for standard. The vulnerability allows a remote attacker to compromise the affected system. It exists due to incorrect implementation in the V8 engine in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it and compromise a vulnerable system.
Vulnerable Software Versions
Google Chrome: 70.0.3538.67, 70.0.3538.77, 70.0.3538.102, 70.0.3538.110, 71.0.3578.80, 71.0.3578.98, 72.0.3626.81, 72.0.3626.96, 72.0.3626.109, 72.0.3626.119, 72.0.3626.121, 73.0.3683.75, 73.0.3683.86, 73.0.3683.103, 74.0.3729.108, 74.0.3729.131, 74.0.3729.157, 74.0.3729.169, 75.0.3770.80, 75.0.3770.90, 75.0.3770.100, 75.0.3770.142, 76.0.3809.87, 76.0.3809.100, 76.0.3809.132, 77.0.3865.75, 77.0.3865.90, 77.0.3865.120, 78.0.3904.70, 78.0.3904.87, 78.0.3904.97, 78.0.3904.108, 79.0.3945.79, 79.0.3945.88, 79.0.3945.117, 79.0.3945.130, 80.0.3987.87, 80.0.3987.100, 80.0.3987.106, 80.0.3987.116, 80.0.3987.122, 80.0.3987.132, 80.0.3987.149, 80.0.3987.162, 80.0.3987.163, 81.0.4044.92, 81.0.4044.113, 81.0.4044.122, 81.0.4044.129, 81.0.4044.138, 83.0.4103.61, 83.0.4103.97, 83.0.4103.106, 83.0.4103.116, 84.0.4147.89, 84.0.4147.105, 84.0.4147.125, 84.0.4147.135, 85.0.4183.83, 85.0.4183.102, 85.0.4183.121, 86.0.4240.75, 86.0.4240.111, 86.0.4240.183, 86.0.4240.193, 86.0.4240.198, 87.0.4280.66, 87.0.4280.88, 87.0.4280.141, 88.0.4324.96, 88.0.4324.104, 88.0.4324.146, 88.0.4324.150, 88.0.4324.182, 88.0.4324.190, 89.0.4389.72, 89.0.4389.82, 89.0.4389.90, 89.0.4389.114, 89.0.4389.128, 90.0.4430.72, 90.0.4430.85, 90.0.4430.93, 90.0.4430.212, 91.0.4472.77, 91.0.4472.101, 91.0.4472.106, 91.0.4472.114, 91.0.4472.124, 91.0.4472.164, 92.0.4515.107, 92.0.4515.131, 92.0.4515.159, 93.0.4577.63, 93.0.4577.82, 94.0.4606.54, 94.0.4606.61, 94.0.4606.71, 94.0.4606.81, 95.0.4638.54
Useful Information For Chrome Users
Specific details about how exactly the exploited software flaws have been leveraged by malicious threat actors are not yet available, however, an explanation may be in the works from security research teams at Project Zero or Google TAG. For the moment, it is important for Google Chrome users to know that a new stable version of Google Chrome is available that remediates any potential risks resulting from the above vulnerabilities. Users should ensure that they are using the latest version of Chrome which can be found here.