On the 13th of September, Monday, Google issued fixes for 11 bugs in Chrome. These included two zero-days that were under exploitation in the wild. Google had listed the fixes and the researchers who helped to discover them.
According to the president at Pathlock, Kevin Dunne, this was the 10th zero-day exploit that Google had to patch in 2021. He also mentioned that this shows how bad actors have prioritized Chrome when doing browser exploitations. This way, bad actors can gain access to millions of devices irrespective of the operating system.
The two 0-day exploits under the tech giant’s watchful eyes were CVE-2021-30632 and CVE-2021-30633. According to Google, they knew about CVE-2021-30632 and CVE-2021-30633 and their exploitations that exist in the wild and were anonymously submitted on the 8th of September.
They also mentioned that CVE-2021-30632 is related to an out-of-bounds write in V8. On the other hand, CVE-2021-30633 was about the use after free in Indexed DB API. Google said that all the updates will be rolling out over the next few days and coming weeks. They will be part of the Stable channel update to 93.0.4577.82 meant for Mac, Linux, and Windows.
Kevin Dunne also said this action from Google is truly admirable, as Chrome is essentially freeware, so Google is solely responsible for providing these updates. He was confident about Google’s future work on security issues and patches for zero-day exploits that will continue to be exploited in the wild.
According to Netenrich’s principal threat hunter, John Bambenek, browser bugs from exploitation in the wild are the most notable security threats to exist.
“Now that they are patched, exploitation will ramp up. That said, almost 20 years on and we haven’t made web browsing safe shows that the rapid embrace of technology continues to leave users exposed to criminals and nation-state actors,” Bambenek said. “Everyone wants to learn how to hack, too few people are working on defense.”
