Categories: Other

Google Patches a Couple of Chrome Zero Days

What is a Zero-Day Classification in Google?

A zero-day classification can be defined as a flaw exploited by hackers and also not found by Google. A fix or patch would not have been released yet for such a flaw. Google has already responded that such flaws are very dangerous, maybe more serious than the rest. The exploitation of such flaws by hackers in the wild is proven to be increasing day by day.  

Usually, as soon as such a flaw is found out, an immediate patch or fix is released by Google in the form of an update for all Linux, macOS, and Windows users. Once a vulnerability is found out, it is usually released on the NVD (National Vulnerability Database). 

Process of Zero-day Attack Targeting

Once an attacker becomes aware of a zero-day vulnerability, they need a delivery mechanism to reach the vulnerable system or exploit it. The most common method of getting in is through a socially engineered email. Such an email convinces the target to act on the behest of the attackers by downloading malicious content or entering sites that contain high risks. The end result is the targeted persons will be exploited. 

The most recent zero-day vulnerabilities found by Google

Google announced out loud about finding and fixing 11 high severity vulnerabilities on 13th September. In this same announcement, a quote about finding 2 high-level zero-days was actually used by attackers to previously plant some malicious schemes. As a wall against this exploitation, a new update was released which included fixes and patches against all these vulnerabilities. The update was released on platforms Linux, macOS, and Windows. The version number is 93.0.4577.82.

The below mentioned are the latest discovered high-severity zero-days –

  • CVE – 2021-30632

This zero-day was related to the V8 JavaScript Engine and was known as “Out of Bounds Write”. The V8 JavaScript engine or interpreter is the central component that works to help us access web pages or apps by bringing them to us. The safety of this component is necessary because of this exact reason. One of the main parts of this component is known as the JIT (Just in time) compiler. Half of the CVEs reported against the V8 JavaScript engine were due to JIT. So, turning off this particular component can increase the security at the cost of speed. 

Making use of this zero-day and with the help of a crafted HTML, the unknown attacker was able to exploit plenty of users. 

  • CVE – 2021 – 30633

This particular zero-day was related to the Indexed DB API and was known as “Use after Free”.

By making use of this zero-day, the attacker who had compromised the process, with the help of a crafted HTML page, made a sandbox escape. 

Checking the updated version of your browser (here, Chrome)

  • Open the browser
  • Click on the 3 tops at the right corner to access the settings.
  • Find ‘About Chrome’ or the about info option of your browser.

Other Zero-Days Found this Year

  • CVE-2021-33742

This zero-day was related to Internet Explorer. In April 2021, Google’s TAG (threat analysis group) found a project targeting only Armenian users with affected or malicious documents that would load documents in internet explorer. In a further investigation, it was found that many documents were uploaded to Virustotal. This zero-day was fixed by Microsoft in June this year. 

  • CVE-2021-1879

Discovered by TAG on 19th Mar 2021. This zero-day was interesting as it’s a vulnerability that didn’t require multiple chains. This campaign was run by attackers in such a way via social media platforms like LinkedIn or Facebook to target government officials from Western European Countries and make them fall into downloading malicious content or clicking on suspicious infected links. 

The error was related to Webkit (Safari).

  • CVE-2021-21166 and CVE-2021-30551

These were linked to Chrome. The first was found in Feb 2021 and the second in June 2021. It has been noticed that both the zero-days were exploited by the same person or organization. These zero-days were exploited and the attackers targeted users who were all from Armenia. The attack was in such a way that emails were sent to the targets with infected links in order to make them access these links and thereby fall into the laid traps. 

The moment the link is accessed, it would lead to a webpage that would blueprint the device and make the access better for the attacker to exploit info. 

Further investigation led to a discovery that CVE-2021-21166 was linked to Webkit. This was resolved finally by Apple.

In the last few years, the number of zero-day exploitations has been reported a lot and it seems the increase is still in progress. Most of these zero-days found by Google’s TAG were developed by commercial providers and provided money to those having an influence in government. 

Even though zero-days are more to be found in Chrome, it still remains the most downloaded and used browser followed by Edge and Brave. 

QuickTech

Recent Posts

How to Offer Tech Support to Your Older Relatives

We’ve all been there. The phone rings, you answer it, and the next 45 minutes…

2 years ago

The Importance of In Person & Remote Tech Support for Business Success

Did you know that, according to FileMaker’s Workplace Innovation Report, a staggering 94% of business…

2 years ago

How to Set Up a New Laptop

Congratulations on your new laptop! Whether you’re upgrading from a shabbier older model or investing…

2 years ago

How to Physically Clean Your Computer

You might have already discovered the hard way that your computer needs a decent spring…

2 years ago

Improve Your Home Wi-Fi with a Mesh System & Eliminate Wi-Fi Dead Spots

There’s nothing more frustrating than when the internet keeps dropping out at home, or when…

2 years ago

How to Transfer Files from Your Old Laptop to Your New Laptop

Congratulations on switching out your old, weathered laptop for a brand new one that doesn’t…

2 years ago