The latest version of the cross-platform Chrome web browser fixes over a dozen security vulnerabilities including one that was being exploited in the wild.
The zero-day vulnerability, discovered by Google Project Zero, and tracked as CVE-2021-30551, is reportedly a type confusion bug that exists in V8, which is Google’s open source WebAssembly and JavaScript engine.
Although Google hasn’t shared much details about the vulnerability at the moment, it did acknowledge that an exploit based on it has been spotted in the wild.
Shane Huntley, Director of Google’s Threat Analysis Group, took to Twitter to share that this vulnerability was used by the same threat actors that earlier used one of the remote code exploitation vulnerabilities in Windows that Microsoft fixed recently in its June 2021 Patch Tuesday.
Attack chain
Bleeping Computer reports that this is the sixth zero-day exploit that Google has fixed in its Chrome web browser in 2021 alone.
This is significant in light of revelations by cybersecurity researchers from Kaspersky who reported that a threat actor named PuzzleMaker recently exploited a chain of zero-day vulnerabilities in the Google Chrome browser and Microsoft Windows systems.
The threat actor used them to escape the browser’s sandbox and install malware in Windows in highly targeted attacks against multiple companies in April 2021.
While it is argued that PuzleMaker might have relied on the now patched Google Chrome CVE-2021-21224 vulnerability, Bleeping Computer suggests that Kaspersky has not ruled out the use of further undisclosed Chrome zero-day vulnerabilities.
