Google patches Chrome zero-day linked to commercial exploit company
Google has released an update for the Chrome browser today to fix a zero-day vulnerability the company's security team said was part of the arsenal of a "commercial exploit company."
The vulnerability, tracked as CVE-2021-30551, was abused in the wild together with a Windows zero-day, tracked as CVE-2021-33742, which Microsoft patched yesterday.
Shane Huntley, head of the Google Threat Analysis Group, whose team discovered the attacks, said the two zero-days were provided by the exploit broker to a nation-state, which used them for a small number of attacks against targets in Eastern Europe and the Middle East.
Chrome in-the-wild vulnerability CVE-2021-30551 patched today was also from the same actor and targeting.
— Shane Huntley (@ShaneHuntley) June 9, 2021
Thanks to Chrome team for also patching within 7 days.https://t.co/1RDbbuiBfY https://t.co/Ap9dEq98Cy
Huntley said his team, which tracks nation-state operations and advanced threat actors using Google's considerable data insights, plans to reveal more details about the vulnerabilities in 30 days in order to give users more time to apply patches before broader technical information is available.
Google's discovery is, however, not the only one.
Yesterday's Microsoft Patch Tuesday also included fixes for two other Windows zero-days that were exploited via a Chrome-based delivery mechanism.
Researchers from Russian security firm Kaspersky said in a report yesterday that they only managed to analyze the Windows part of the attack but not the Chrome exploit code, which currently remains unknown and unpatched.
But while this Chrome attack vector remains unknown, users can update to Google Chrome v91.0.4472.101 today to protect themselves against CVE-2021-30551, the zero-day developed by the yet-to-be-identified "commercial exploit company."
Chrome in-the-wild vulnerability CVE-2021-30551 is patched. Another one found by Google TAG! (@_clem1) https://t.co/SD4ZFTP5VZ
— Maddie Stone (@maddiestone) June 9, 2021
Catalin Cimpanu
is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.