Google has released Chrome 91.0.4472.114 for Windows, Mac, and Linux to fix four security vulnerabilities, one of them a high-severity zero-day vulnerability exploited in the wild.
This version, released today, June 17, 2021, for the stable desktop channel, has started rolling out worldwide and will be available to all users in the coming days.
Google Chrome will try to automatically update the browser the next time you start the program, but you can do a manual update by going to Settings> Help> ‘About Google Chrome’.
No details on zero-day attacks in the wild
“Google is aware that an exploit for CVE-2021-30554 exists in the wild,” the company announced. read.
Successful exploitation of this vulnerability could lead to arbitrary code execution on computers running unpatched versions of Chrome.
Although Google says it is aware of CVE-2021-30554 in wild exploitation, it did not share information about these attacks.
“Access to bug details and links can be restricted until most users are updated with a fix,” the company said.
“We will also maintain the restrictions if the bug exists in a third-party library that other projects similarly depend on, but has yet to be fixed.”
Google fixed three more high-severity uses after free bugs today in Chrome’s Share, WebAudio, and TabGroups components, tracked as CVE-2021-30555, CVE-2021-30556, and CVE-2021-30557.
Chrome’s seventh day zero exploited in the wild this year
Today’s update fixes the seventh Google Chrome zero-day vulnerability exploited in this year’s attacks, with the other six listed below:
In addition to these zero days, Kaspersky reported that a group of threat actors known as Puzzlemaker is chaining Chrome zero-day bugs to escape the browser sandbox and install malware on Windows systems.
“Once the attackers have used Chrome and Windows exploits to gain a foothold on the target system, the staging module downloads and runs a more complex malware dropper from a remote server,” Kaspersky said.
Project Zero, Google’s zero-day bug search team, also revealed a large-scale operation in which a group of hackers used 11 zero days to attack Windows, iOS and Android users in a single year.