On the same day that Apple released updates for iOS and macOS to address critical security problems, Google released an advisory warning of two already-exploited flaws in its desktop Chrome browser. Google stated, “Google is aware that vulnerabilities for CVE-2021-30632 and CVE-2021-30633 exist in the wild.” Google did not disclose any additional information on the flaw or publicly available exploits. The two issues, according to the business, were reported anonymously. The bare bones:
High-severity – CVE-2021-30632: Out of bounds write in V8. Anonymous reported this on 2021-09-08. High-severity – CVE-2021-30633: Use after free in Indexed DB API. Anonymous reported this on 2021-09-08.
The latest Google Chrome 93.0.4577.82, which is available for Windows, macOS, and Linux, resolves at least nine security flaws, all of which are rated as “high-severity.” So far in 2021, there have been 66 recorded zero-day attacks. 11 of the 66 zero-days targeted security flaws in Google’s Chrome and Android platforms, according to data examined. The Chrome browser patch arrives less than a week after Apple released remedies for “actively exploited” iOS and macOS weaknesses, and less than a week after Microsoft revealed zero-day attacks on its Microsoft Office software suite. Last week, the Redmond, Wash.-based software giant released an urgent pre-patch advisory to warn of a remote code execution vulnerability in MSHTML, the Office productivity suite’s proprietary browsing engine. Microsoft stated, “Microsoft is aware of targeted attacks that aim to exploit this issue by using specially designed Microsoft Office documents.” Redmond’s security response team did not offer any specifics about the live attacks, as is normal, but the attribution part of the report has enough evidence to infer this is the work of nation-state APT actors. This exploit was reported by four distinct external researchers, according to Microsoft. Three of the four are linked to Mandiant, an anti-malware forensics organisation that tracks high-end targeted attacks on a regular basis. The attacks were defined as “targeted,” code for the types of Windows malware implants used for government cyber-espionage or corporate data theft, according to the company.