Home Cyber Crime Google fixes second actively exploited Chrome zero-day bug this year

Google fixes second actively exploited Chrome zero-day bug this year

23
0


Google fixes second actively exploited Chrome zero-day bug this year

Google has mounted an actively exploited zero-day vulnerability within the Chrome 89.0.4389.72 model launched in the present day, March 2nd, 2021, to the Secure desktop channel for Home windows, Mac, and Linux customers.

“Google is conscious of stories that an exploit for CVE-2021-21166 exists within the wild,” the Google Chrome 89.0.4389.72 announcement reads.

This model is now rolling out to your complete userbase. You’ll be able to improve to Chrome 89 by going to Settings -> Assist -> About Google Chrome.

The Google Chrome internet browser will then mechanically verify for the brand new replace and set up it when obtainable.

Chrome-89

No particulars on ongoing assaults

Google rated the zero-day vulnerability as excessive severity and described it as an “Object lifecycle concern in audio.” The safety flaw was reported final month by Alison Huffman of Microsoft Browser Vulnerability Analysis on 2021-02-11.

Though Google says that it’s conscious of stories {that a} CVE-2021-21166 exploit exists within the wild, the search big didn’t share any data concerning the menace actors behind these assaults.

“Entry to bug particulars and hyperlinks could also be stored restricted till a majority of customers are up to date with a repair,” Google added.

“We can even retain restrictions if the bug exists in a 3rd social gathering library that different initiatives equally rely on, however haven’t but mounted.”

Till extra data on the zero-day is disclosed, Chrome customers ought to have extra time to put in the safety replace launched in the present day to stop any ongoing assaults.

The shortage of additional data can even forestall extra menace actors from creating exploits concentrating on this zero-day.

Second Chrome zero-day patched this yr

Google mounted another Chrome zero-day actively exploited within the wild in February, a  heap buffer overflow bug in V8 tracked as CVE-2021-2114 and rated as excessive severity.

Final yr, Google fixed five more actively exploited Chrome zero-days inside a single month, between October 20 and November 12.

At the moment’s Chrome launch addresses 47 different safety vulnerabilities contributed by exterior researchers:

• [1129361] Excessive CVE-2021-21158: Inadequate information validation in iOSWeb. Reported by Nameless on 2020-09-17
• [1171049] Excessive CVE-2021-21159: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-01-27
• [1170531] Excessive CVE-2021-21160: Heap buffer overflow in WebAudio. Reported by Aleksandar Nikolic of Cisco Talos on 2021-01-25
• [1173702] Excessive CVE-2021-21161: Heap buffer overflow in TabStrip. Reported by Khalil Zhani on 2021-02-02
• [1172054] Excessive CVE-2021-21162: Use after free in WebRTC. Reported by Nameless on 2021-01-29
• [1111239] Excessive CVE-2021-21163: Inadequate information validation in Reader Mode. Reported by Alison Huffman, Microsoft Browser Vulnerability Analysis on 2020-07-30
• [1164846] Excessive CVE-2021-21164: Inadequate information validation in iOSWeb. Reported by Muneaki Nishimura (nishimunea) on 2021-01-11
• [1174582] Excessive CVE-2021-21165: Object lifecycle concern in audio. Reported by Alison Huffman, Microsoft Browser Vulnerability Analysis on 2021-02-04
• [1161144] Medium CVE-2021-21167: Use after free in bookmarks. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2020-12-22
• [1152226] Medium CVE-2021-21168: Inadequate coverage enforcement in appcache. Reported by Luan Herrera (@lbherrera_) on 2020-11-24
• [1166138] Medium CVE-2021-21169: Out of bounds reminiscence entry in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Safety Xuanwu Lab on 2021-01-13
• [1111646] Medium CVE-2021-21170: Incorrect safety UI in Loader. Reported by David Erceg on 2020-07-31
• [1152894] Medium CVE-2021-21171: Incorrect safety UI in TabStrip and Navigation. Reported by Irvan Kurniawan (sourc7) on 2020-11-25
• [1150810] Medium CVE-2021-21172: Inadequate coverage enforcement in File System API. Reported by Maciej Pulikowski on 2020-11-19
• [1154250] Medium CVE-2021-21173: Aspect-channel data leakage in Community Internals. Reported by Tom Van Goethem from imec-DistriNet, KU Leuven on 2020-12-01
• [1158010] Medium CVE-2021-21174: Inappropriate implementation in Referrer. Reported by Ashish Gautam Kamble on 2020-12-11
• [1146651] Medium CVE-2021-21175: Inappropriate implementation in Web site isolation. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Analysis on 2020-11-07
• [1170584] Medium CVE-2021-21176: Inappropriate implementation in full display screen mode. Reported by Luan Herrera (@lbherrera_) on 2021-01-26
• [1173879] Medium CVE-2021-21177: Inadequate coverage enforcement in Autofill. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Analysis on 2021-02-3
• [1174186] Medium CVE-2021-21178: Inappropriate implementation in Compositing. Reported by Japong on 2021-02-03
• [1174943] Medium CVE-2021-21179: Use after free in Community Internals. Reported by Nameless on 2021-02-05
• [1175507] Medium CVE-2021-21180: Use after free in tab search. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Analysis on 2021-02-07
• [1177875] Medium CVE-2020-27844: Heap buffer overflow in OpenJPEG. Reported by Sean Campbell at Tableau on 2021-02-12
• [1182767] Medium CVE-2021-21181: Aspect-channel data leakage in autofill. Reported by Xu Lin (College of Illinois at Chicago), Panagiotis Ilia (College of Illinois at Chicago), Jason Polakis (College of Illinois at Chicago) on 2021-02-26
• [1049265] Low CVE-2021-21182: Inadequate coverage enforcement in navigations. Reported by Luan Herrera (@lbherrera_) on 2020-02-05
• [1105875] Low CVE-2021-21183: Inappropriate implementation in efficiency APIs. Reported by Takashi Yoneuchi (@y0n3uchy) on 2020-07-15
• [1131929] Low CVE-2021-21184: Inappropriate implementation in efficiency APIs. Reported by James Hartig on 2020-09-24
• [1100748] Low CVE-2021-21185: Inadequate coverage enforcement in extensions. Reported by David Erceg on 2020-06-30
• [1153445] Low CVE-2021-21186: Inadequate coverage enforcement in QR scanning. Reported by dhirajkumarnifty on 2020-11-28
• [1155516] Low CVE-2021-21187: Inadequate information validation in URL formatting. Reported by Kirtikumar Anandrao Ramchandani on 2020-12-04
• [1161739] Low CVE-2021-21188: Use after free in Blink. Reported by Woojin Oh(@pwn_expoit) of STEALIEN on 2020-12-24
• [1165392] Low CVE-2021-21189: Inadequate coverage enforcement in funds. Reported by Khalil Zhani on 2021-01-11
• [1166091] Low CVE-2021-21190: Uninitialized Use in PDFium. Reported by Zhou Aiting(@zhouat1) of Qihoo 360 Vulcan Crew on 2021-01-13



Source link