Threat Alert

by IthacaLabs™

THREAT LEVEL/High 16/07/2021

A New Zero-Day Bug affecting Google Chrome Browser is Exploited in the Wild.

Threat Level Description

Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.

Description

We have observed that a new zero-day vulnerability affecting the Google Chrome Browser has been identified.

An unauthenticated remote attacker could exploit this issue and possibly steal confidential info and/or further compromise the system.

This new zero-day vulnerability refers to a type confusion issue in Google Chrome’s V8 open-source and JavaScript engine (CVE-2021-30563).

Furthermore, it has been identified that this flaw (CVE-2021-30563) is actively exploited in the wild.

Note that the vendor refrained from sharing full details about the underlying vulnerability used in the attacks due to its serious nature and the possibility that doing so could lead to further abuse.

The CVE-2021-30563 flaw marks the ninth zero-day vulnerability affecting Google Chrome’s users since the start of the year.

Due to its nature, and according the impact of the previews zero-day vulnerabilities that affected Google Chrome, we can conclude that a remote attacker, by exploiting this vulnerability, could potentially perform heap corruption and/or execute arbitrary code inside a sandbox via a crafted HTML page.

A list of the previews identified zero-days of this year can be found below:

• CVE-2021-21148 – Heap buffer overflow in V8
• CVE-2021-21166 – Object recycle issue in audio
• CVE-2021-21193 – Use-after-free in Blink
• CVE-2021-21206 – Use-after-free in Blink
• CVE-2021-21220 – Insufficient validation of untrusted input in V8 for x86_64
• CVE-2021-21224 – Type confusion in V8
• CVE-2021-30551 – Type confusion in V8
• CVE-2021-30554 – Use-after-free in WebGL

CVE(s)

N/A

Affected Systems

  • Google Chrome Browser

Recommendation(s)

You should immediately proceed and update to the latest version of Google Chrome by heading to Settings > Help > ‘About Google Chrome’.

Also, you should implement the latest patch, referring to the new zero-day vulnerability, provided by the vendor.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References

Get the latest Threat Alerts in your inbox.