Chrome zero-day, hot on the heels of Microsoft’s IE zero-day. Patch now!
Posted by Uroš Lolić on 11 June 2021 08:31 AM
Microsoft’s Patch Tuesday announcement was bad enough, with six in-the-wild vulnerabilities patched, including one buried in the vestiges of Internet Explorer’s MSHTML web rendering code…
Like Mozilla, Google also lumps together other potential bugs it has found using generic bug-hunting techiques, listed as “Various fixes from internal audits, fuzzing and other initiatives.”
Fuzzing, in case you aren’t familiar with the concept, is an automated technique that probes for bugs by repeatedly confronting the sofware under test with input that has deliberately been modified to see whether the program chokes on it.
For example, a fuzzer might start with a known-good input file that you would expect to be processed correctly, without triggering any bugs, and progressively make a series of unusual or otherwise unlikely changes in the file, thus testing a program’s error-checking code much more broadly and deeply than hand-crafted files could manage.
Imagine that you had a compressed archive file, for instance, and you wanted to see how safely your decompression code would behave if the file were corrupted during a download, such as if a line-break character were accidentally inserted at some point.
With a fuzzer you could not only test for line-breaks at some points in the file, but at every possible point – and, better yet, you wouldn’t need to store all these slightly-modified input files for later, because you could automatically regenerate them on the fly every time you wanted to repeat the test.
Fuzzers may produce millions or even hundreds of millions of test inputs during a proving run, but only need to store the inputs that cause the program to misbehave, or more importantly to crash, so they can be used later on as time-saving starting points for human bug hunters.
Exploit in the wild
Google writes, of the zero-day bug, simply that “[we are] aware that an exploit for CVE-2021-30551 exists in the wild.”
Google isn’t saying whether the CVE-2021-30551 bug can be used for full-on remote code execution – which, in the context of a browser, usually means that you are vulnerable to a drive-by download.
A drive-by means that merely viewing a website, without clicking on any popups or seeing any “Are you sure?” warnings, could allow crooks to run rogue code invisibly and implant malware on your computer.
However, CVE-2021-30551 only gets a High rating, with just one bug that isn’t in the wild (CVE-2021-30544) denoted Critical.
We’re guessing that the CVE-2021-30544 bug has been given a Critical rating because it could be exploited for RCE, but there’s no suggestion that anyone other than Google and the researchers that reported it know how to do that right now.
What to do?
Check your Chrome or Chromium version.
On Windows, Mac and Linux you should have 91.0.4472.101.
Click the three-dots icon, then go to Help > About Google Chrome – this will show you the version you have now, and check for an update while you’re about it.
For further information on updating Chrome, check the official Update Google Chrome page.