Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with a zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.
Google Chrome 91.0.4472.101 has started rolling out worldwide and will be available to all users in the coming days.
Google Chrome will try to automatically update the browser the next time you start the program, but you can perform a manual update by going to Settings > To help > ‘About Google Chrome
Six zero days of Chrome exploited in the wild in 2021
The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being traced as CVE-2021-30551.
Google states that they are “aware that there is an exploit for CVE-2021-30551 in the wild.”
Shane Huntley, Director of Google’s Threat Analysis Group, says that this zero-day was used by the same threat actors who used the Windows zero-day CVE-2021-33742 fixed yesterday by Microsoft.
The Chrome in-the-wild vulnerability CVE-2021-30551 patched today was also from the same actor and target.
Thanks to the Chrome team for also patching in 7 days.https://t.co/1RDbbuiBfY https://t.co/Ap9dEq98Cy
– Shane Huntley (@ShaneHuntley) June 9, 2021
Today’s update fixes the sixth day zero exploited in Google Chrome attacks this year, and the other five are listed below:
- CVE-2021-21148 – Feb 4, 2021
- CVE-2021-21166 – March 2, 2021
- CVE-2021-21193 – March 12, 2021
- CVE-2021-21220 – April 13, 2021
- CVE-2021-21224 – April 20, 2021
In addition to these vulnerabilities, news broke yesterday that a group of threat actors known as Puzzlemaker is chaining Google Chrome zero-day bugs to escape the browser’s sandbox and install malware on Windows.
“After the attackers have used Chrome and Windows exploits to gain a foothold on the target system, the staging module downloads and runs a more complex malware dropper from a remote server.” the researchers said.
Microsoft fixed the Windows vulnerabilities yesterday as part of the June 2021 patch on Tuesday, but Kaspersky was unable to determine which Google Chrome vulnerabilities were used in the Puzzlemaker attacks.
Kaspersky believes that attackers may have been using Google Chrome’s CVE-2021-21224 vulnerability, but they have not ruled out the use of other undisclosed Chrome zero-day vulnerabilities.