Google Chrome Reports Several Serious Vulnerabilities

Photograph of Google Chrome Browser

Vulnerabilities in the Google family of products, namely Google Chrome, is not an uncommon occurrence. These vulnerabilities are most often referred to as bugs, a term that actually downplays just how risky these security gaps are and how devastating the consequent far-reaching impact that can arise, can be. In fact, the past few months have displayed a fair share of software vulnerabilities across the sector ranging from industry giant Microsoft to CMS leader WordPress, and more. This time, the Google Chrome Releases page of Google’s official blog has released 8 security fixes developed by security researchers that mitigate several vulnerabilities discovered in Google Chrome. The fixes mitigate most of the issues on Windows, Mac, and Linux (Arch Linux) platforms. However, a critical vulnerability has been exploited and is now at large in the wild.

Information Surrounding The Vulnerabilities

Google is known for touting the security of their products, as is with the Chromium security team responsible for the cybersecurity of The Chromium Projects. The Google Chrome browser is not an insecure browser by any means and is being constantly developed to high standards. However, in this instance reported on July 17th, 2021 multiple vulnerabilities were found in Google Chrome that range from high to critical levels of severity. Of the seven vulnerabilities, five are a cause for serious concern. Security researchers and developers have uncovered the following information about what these specific vulnerabilities lead to. Furthermore, information about the critical zero-day vulnerability has also been released;

  • An attacker can remotely control a target system
  • The attacker can execute arbitrary code on that system
  • The attacker orchestrates the attack by creating a fake web page
  • Allow an attacker to compromise a user’s system after visiting the fake web page
  • Give an attacker full access to the vulnerable system

The Official List of Vulnerability Codes

The official CVE ID codes (Common Vulnerabilities and Exposures) for the vulnerabilities are as follows with the respective risk factor;

  • CVE-2021-30563 (Critical Risk Zero-Day Flaw)
  • CVE-2021-30559 (High Risk)
  • CVE-2021-30561 (High Risk)
  • CVE-2021-30541 (High Risk)
  • CVE-2021-30560 (High Risk)
The vulnerability types range between; confusion, out-of-bounds write and use-after-free vulnerability types. These type references refer to execution codes and describe the related errors within Google Chrome.

Critical Vulnerability Still at Large

Among the multiple vulnerabilities listed above, one of them is critical and is still being exploited actively in the wild. Specifically, this is vulnerability CVE-2021-30563. This vulnerability type is ‘Confusion’ and has been discovered by Sergei Glazunov (Google Project Zero). Like the others, it allows a remote attacker to execute arbitrary code on the target system via a Google Chrome security hole but is different in that it is an error within the V8 component in Google Chrome. The V8 component is Google’s own WebAssembly and JavaScript engine. Google’s Chrome Releases blog states the following; “Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild.” This is the eighth critical vulnerability patched by Google in their Chrome browser this year.

Arch Linux Have Also Reported Vulnerabilities

Arch Linux has reported that they have also been cross-affected by the ‘Chromium arbitrary code execution’ and ‘Vivaldi arbitrary code execution’ issues.

Google And Arch Linux Release Patches For The Vulnerabilities

To mitigate the vulnerabilities, Google has rolled out a ‘Stable channel’ update for desktop, bringing it up to version 91.0.4472.164. According to the Chrome Releases web page, “The Stable channel has been updated to 91.0.4472.164 for Windows, Mac, and Linux which will roll out over the coming days/weeks.” For now, it is recommended that all users update to the updated version 91.0.4472.164 of Google Chrome for their respective operating system to protect from the consequences of the vulnerabilities.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.