Google Gets a Jump on Cyber Awareness Month with Repeated Zero Day and High Rank Threat Disclosures

In seeming anticipation of Cyber Awareness Month in October, Google began a series of “Whack-a-Mole” updates to address a spate of Chrome security flaws. Each time they knocked a batch down, more have popped up. In the first week of October, Google announced they had found the 12th and 13th zero day exploits of 2021, affecting Linux, macOS, and Windows users – just days after number 11 was made public. More disclosures of high ranking exploits have since followed at what seems to be an accelerating pace.

“Zero day” exploits are particularly dangerous because hackers are aware of – and can exploit – them before security patches are available to fix them. With 2.65 billion Chrome users worldwide and a 65% market share, these newest Chrome zero days left an awful lot of users exposed to danger until Google released fixes. And since many organizations take some time to roll out new versions of their browsers, many users will be exposed to these vulnerabilities for quite a while.

DevOps Experience

Browsers are designed to execute all web code only within the browser, and nowhere else on the device. Browser security vulnerabilities are dangerous in that they allow code to “jump” from the browser to the device and execute there.

Use-After-Free Vulnerabilities

A number of the latest zero day exploits and high-rated threats were Use-After-Free (UAF) vulnerabilities, which are some of the most dangerous software vulnerabilities around.

Normally, when an application finishes using memory, that memory is returned to the free memory list. In a UAF, the attacker has gained access to the memory address. This allows them to insert malicious code into memory that has been freed for use other than for browsing – code which can cause all kinds of harm.

Additionally, since the memory isn’t wiped clean after a UAF has been exploited, the attacker can continue to read contents of memory of the device, including sensitive customer or organization data.

More Than Chrome Can Be at Risk

The most recent zero day was in the core code known as Chromium. Chromium is an open-source browser that is maintained primarily by Google. Google adds features to Chromium for its Chrome browser, and other…