Google patches Chrome zero-day linked to ‘commercial exploit company’
Google has released an update for the Chrome browser today to fix a zero-day vulnerability the company’s security team said was part of the arsenal of a “commercial exploit company.”
The vulnerability, tracked as CVE-2021-30551, was abused in the wild together with a Windows zero-day, tracked as CVE-2021-33742, which Microsoft patched yesterday.
Shane Huntley, head of the Google Threat Analysis Group, whose team discovered the attacks, said the two zero-days were provided by the exploit broker to a nation-state, which used them for a small number of attacks against targets in Eastern Europe and the Middle East.
Huntley said his team, which tracks nation-state operations and advanced threat actors using Google’s considerable data insights, plans to reveal more details about the vulnerabilities in 30 days in order to give users more time to apply patches before broader technical information is available.
Google’s discovery is, however, not the only one.
Yesterday’s Microsoft Patch Tuesday also included fixes for two other Windows zero-days that were exploited via a Chrome-based delivery mechanism.
Researchers from Russian security firm Kaspersky said in a report yesterday that they only managed to analyze the Windows part of the attack but not the Chrome exploit code, which currently remains unknown and unpatched.
But while this Chrome attack vector remains unknown, users can update to Google Chrome v91.0.4472.101 today to protect themselves against CVE-2021-30551, the zero-day developed by the yet-to-be-identified “commercial exploit company.”