Main Highlights:
- According to the browser vendor’s security statement today, Google has been informed of reports that an attack against CVE-2021-4102 exists in the wild.
- Although the company adds that it may take some time for all users to receive this update, Chrome 96.0.4664.110 has already begun rolling out globally in the Stable Desktop channel.
- Until the browser vendor exposes how this weakness is being used in the wild, users should have sufficient time to update Chrome and avoid exploitation.
Chrome 96.0.4664.110 has been released for Windows, Mac, and Linux to address a high-severity zero-day vulnerability that has been exploited in the wild. Google has been made aware of claims that an attack for CVE-2021-4102 exists in the wild, the browser vendor stated in today’s security bulletin.
Although the firm notes that this update may take some time to reach all users, Chrome 96.0.4664.110 has already begun rolling out globally in the Stable Desktop channel. The upgrade was immediately available when BleepingComputer checked for new updates via the Chrome menu > Help > About Google Chrome. Additionally, the browser will check for the latest updates and will update itself automatically upon subsequent launches.
Details of Chrome’s zero-day exploits are withheld
An anonymous security researcher discovered the zero-day vulnerability repaired today, CVE-2021-4102, and is used after a free flaw in the JavaScript engine in Chrome V8. Attackers frequently take advantage of free bugs to execute arbitrary code on computers running unpatched versions of Chrome or bypass the browser’s security sandbox.
While Google stated that it discovered assaults exploiting this zero-day in the wild, it did not provide any information about these occurrences. Google added that access to issue details and related links might be restricted until most users receive a remedy. Additionally, they will keep restrictions if the defect occurs in a third-party library on which other projects rely but have not yet resolved.
Until the browser vendor discloses any information on how this flaw is being exploited in the field, users should have enough time to upgrade Chrome and avoid exploitation attempts.
Google has patched sixteen Chome zero-day vulnerabilities
Google has patched 16 Chrome zero-day vulnerabilities since the start of the year with this release. The remaining 15 zero-day vulnerabilities addressed in 2021 are mentioned below:
- CVE-2021-21148 was discovered on February 4th, while CVE-2021-21166 was found on March 2nd.
- March 12th – CVE-2021-21193
- CVE-2021-21220 – April 13th CVE-2021-21224 – April 20th
- CVE-2021-30551 – June 9th
- CVE-2021-30554 – June 17th
- CVE-2021-30563 – July 15th
- September 13th – CVE-2021-30632 and CVE-2021-30633
- CVE-2021-37973 – September 24th
- September 30th – CVE-2021-37976 and CVE-2021-37975
- October 28th – CVE-2021-38000 and CVE-2021-38003
Because this zero-day exploit has been used in the wild by attackers, installing today’s Google Chrome update as soon as it becomes available is strongly recommended.
What exactly are Zero-day Vulnerabilities? And how did Google find it?
Zero-day vulnerabilities are defects in software that are not yet discovered. Attackers can abuse them until they are detected and rectified. Google’s Threat Analysis Group (TAG) constantly looks for hacking efforts and influencing operations to safeguard users from digital attacks. This includes scanning for these vulnerabilities, which can be extremely harmful when exploited and have a high success rate.
The details of four in-the-wild zero-day campaigns targeting four distinct vulnerabilities found by Google this year are disclosed in this blog. In Chrome, CVE-2021-21166 and CVE-2021-30551 were exploited; in Internet Explorer, CVE-2021-33742 was used; and in WebKit, CVE-2021-1879 was exploited (Safari).
Three distinct campaigns made use of the four exploits. Google’s norm, once these zero-day vulnerabilities were discovered, they were immediately reported to the vendor, and patches were deployed to protect users from these attacks. Google believes that three of these exploits were developed by the same commercial surveillance firm that sold these capabilities to two distinct government-sponsored entities. Additionally, Google has released root cause analyses (RCAs) for -days.
Along with technical information, Google discusses the significant increase in in-the-wild zero-day assaults that the industry has seen this year. Halfway through 2021, 33 zero-day flaws used in attacks have been officially revealed this year — 11 more than in 2020. While the amount of zero-day exploits being utilized has increased, Google believes improved detection and disclosure efforts also contribute to the upward trend.
Why are there so many zero-days?
There is no direct correlation between the number of zero-days used in the wild and the number discovered and revealed. The attackers who create zero-day exploits often want them to remain hidden and unknown, which is most helpful. Numerous causes could be contributing to the increase in the number of zero-days disclosed as in-the-wild:
Increased detection and disclosure: Earlier this year, Apple began marking vulnerabilities in its security bulletins with remarks indicating when there is cause to believe a vulnerability may be exploited in the wild, and Google added identical annotations to their Android bulletins. Without these annotations, the only way for the public to learn about in-the-wild exploitation is for the researcher or group aware of the exploitation to disseminate the information.
Along with disclosing when zero-days are believed to be exploited in the wild, it would not be surprising if this results in more vulnerabilities detection efforts and successes. Additionally, more people are probably concentrating their efforts on discovering vulnerabilities in the natural and reporting zero-days found in the wild.
