Google patches Chrome zero-day, eighth one in 2021
Google has released security updates today for its Chrome web browser, including a patch to address a zero-day vulnerability that was exploited in the wild.
Details about how, when, and where the vulnerability was exploited have not been made public.
Google typically likes to wait at least 30 days before revealing such details in order to avoid giving other threat actors clues about how they could also weaponize the vulnerability for additional attacks before users get a reasonable chance to patch.
Chrome users are advised to update their browser and make sure they’re running Chrome v91.0.4472.164, the version where this zero-day was patched.
Today’s zero-day is also the eighth such bug exploited in the wild against Chrome users this year. The previous seven zero-days patched this year include:
- CVE-2021-21148 – Chrome 88.0.4324.150, on February 4, 2021.
- CVE-2021-21166 – Chrome 89.0.4389.72, on March 2, 2021.
- CVE-2021-21193 – Chrome 89.0.4389.90, on March 12, 2021.
- CVE-2021-21220 – Chrome 89.0.4389.128, on April 13, 2021.
- CVE-2021-21224 – Chrome 90.0.4430.85, on April 20, 2021.
- CVE-2021-30551 – Chrome 91.0.4472.101, on June 9, 2021.
- CVE-2021-30554 – Chrome 91.0.4472.114, on June 17, 2021.
Today’s patches also come after Google published a report on Wednesday with additional technical details on CVE-2021-21166 and CVE-2021-30551.
According to the Google Threat Analysis Group (Google TAG), the zero-days were developed by an Israeli security company selling offensive hacking tools to governments across the world. Google said it detected specific cases where the two zero-days were used against targets located in Armenia.
Earlier today, Microsoft and Citizen Lab published more details about the Israeli company, known as Candiru, including details about Windows zero-days the company developed and a Windows spyware tool named DevilsEye.