Update now! Google Chrome fixes two in-the-wild zero-days

Google announced on Monday that it will be issuing patches for 11 high severity vulnerabilities found in Chrome, including two that are currently being exploited in the wild. The patch, which is part of the Stable Channel Update for Chrome 93 (93.0.4577.82), will be released for Windows, Mac, and Linux (if it hasn’t already). Chrome users are expected to see the roll out in the coming days and weeks.

Readers should note that other popular browsers such as Brave and Edge are also Chromium-based and therefore likely to be vulnerable to these flaws too. Keep an eye out for updates.

You can check what version of Chrome you are running by opening About Google Chrome from the main menu.

The vulnerabilities

The fixes address high severity vulnerabilities reported to Google by independent researchers from as early as August of this year. That said, the company has included names of the researchers who found the flaws in their announcement.

The two vulnerabilities that are being actively exploited—namely, CVE-2021-30632 and CVE-2021-30633—were  submitted anonymously. The former is an “Out of bounds write” flaw in the V8 JavaScript engine and the latter is a “Use after free” bug in the Indexed DB API.

Because threat actors are currently exploiting the two aforementioned vulnerabilities, Google provides little to no information on how the attacks against these weaknesses are being carried out, or other precautionary measures users should be looking out for. Per Google:

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

V8, the thorn in Chrome’s side?

Nobody will be surprised to see that one of the in-the-wild exploits affects Chrome’s V8 engine.

At the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. In Chrome, that interpreter is V8. These components need to accommodate frequent updates and adhere to a bewildering array of web standards, while also being both fast and secure.

Chrome’s V8 JavaScript engine has been a significant source of security problems. So significant in fact, that in August Microsoft—whose Edge browser is based on Chrome—announced an experimental project called Super Duper Secure Mode that aims to tackle the rash of V8 problems by simply turning an important part of it off.

A little under half of the CVEs issued for V8 relate to its Just-in-Time (JIT) compiler, and more than half of all ‘in-the-wild’ Chrome exploits abuse JIT bugs. Just-in-time compilation is an important performance feature and turning it off is a direct trade of speed for security. How much? According our quick-and-dirty testing, turning off the JIT compiler makes JavaScript execution twice as slow in Edge.

11 zero-days and counting

To date, the Google Chrome team has patched 11 zero-day vulnerabilities in 2021. Previous patches are from the following vulnerabilities, some of which we have covered here in the Malwarebytes Labs blog:

With so much bad PR, you might expect Chrome’s market share to suffer; yet, it remains by far the most popular browser. Users—and the Google Chrome brand—seem unaffected.

Make sure you update your Chrome or Chromium-based browser once you see the patch available, or better still, make sure your browser is set to update itself.

Stay safe!