Posts

Google fixes sixth Chrome zero-day exploited in the wild this year

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


Google Chrome

Google has released Chrome 91.0.4472.101 for Windows, Mac, and Linux to fix 14 security vulnerabilities, with one zero-day vulnerability exploited in the wild and tracked as CVE-2021-30551.

Google Chrome 91.0.4472.101 has started rolling out worldwide and will become available to all users over the next few days.

Google Chrome will automatically attempt to upgrade the browser the next time you launch the program, but you can perform a manual update by going to Settings > Help > ‘About Google Chrome

Google updated to version 91.0.4472.10
Google updated to version 91.0.4472.10

Six Chrome zero-days exploited in the wild in 2021

Few details regarding today’s fixed zero-day vulnerability are currently available other than that it is a type confusion bug in V8, Google’s open-source and C++ WebAssembly and JavaScript engine.

The vulnerability was discovered by Sergei Glazunov of Google Project Zero and is being tracked as CVE-2021-30551.

Google states that they are “aware that an exploit for CVE-2021-30551 exists in the wild.”

Shane Huntley, Director of Google’s Threat Analysis Group, says that this zero-day was utilized by the same threat actors using the Windows CVE-2021-33742 zero-day fixed yesterday by Microsoft.

Today’s update fixes Google Chrome’s sixth zero-day exploited in attacks this year, with the other five listed below:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021 

In addition to these vulnerabilities, news broke yesterday of a threat actor group known as Puzzlemaker that is chaining together Google Chrome zero-day bugs to escape the browser’s sandbox and install malware in Windows.

“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” the researchers said.

Microsoft…

Source…

Re-Captcha Redirects, Security Checks, Chrome Errors

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.


Hey there, hoping to get some help with my laptop before I throw it out the door. I use it for work and about a month ago something started happening that is causing a huge slow down with me navigating sites for work all day.

I suddenly stopped being able to simply login most anywhere. Most sites redirect me to a “security check” page that tells me to do a re-captcha to prove I’m a human. For example, see the attached screenshot of me trying to login to clickfunnels.com which worked just fine until about a month ago and now it redirects me to this security page over and over and then finally lets me in after I do like 4 of these. Every single time.

 

Another thing that started happening is that some sites won’t even let me to the login at all. I’ve had this happen on all sorts of sites from local government sites to Kajabi.com that I use a lot for work (course creator site). See attached screenshot of the err_empty_response I get on these sites that won’t even let me get to the login screen. I’m now having to use another computer to access sites that do this.

 

I’ve been told by Geeksquad that I could have a browser redirect adware but I’m not getting any adware popups. And I have scanned my computer so many times with Malwarebytes and Kaspersky and Windows Defender without it finding anything at all.

I also see that alot of these “security check” pages like the one in the attachment will say something about my IP address being flagged for suspicious activity. So, I’ve reset my home router several times and assigned a new IP address but that hasn’t fixed anything.

 

Short of paying $150 to geeksquad, which I’m not too thrilled to do without knowing if they would even find anything, can you please help me out with suggestions on what this could be??
 

Edition Windows 10 Home

Version 20H2

Installed on ‎6/‎15/‎2020

OS build 19042.867

 

 

Thanks!

Edited by jenn56, Today, 06:28 PM.

Source…

Another Google Chrome 0-Day Bug Found Actively Exploited In-the-Wild

Protect yourself from online attacks that threaten your identity, your files, your system, and your financial well-being.


Google has addressed yet another actively exploited zero-day in Chrome browser, marking the second such fix released by the company within a month.

The browser maker on Friday shipped 89.0.4389.90 for Windows, Mac, and Linux, which is expected to be rolling out over the coming days/weeks to all users.

While the update contains a total of five security fixes, the most important flaw rectified by Google concerns a use after free vulnerability in its Blink rendering engine. The bug is tracked as CVE-2021-21193.

Details about the flaw are scarce except that it was reported to Google by an anonymous researcher on March 9.

As is usually the case with actively exploited flaws, Google issued a terse statement acknowledging that an exploit for CVE-2021-21193 existed but refrained from sharing additional information until a majority of users are updated with the fixes and prevent other threat actors from creating exploits targeting this zero-day.

“Google is aware of reports that an exploit for CVE-2021-21193 exists in the wild,” Chrome Technical Program Manager Prudhvikumar Bommana noted in a blog post.

With this update, Google has fixed three zero-day flaws in Chrome since the start of the year.

Earlier this month, the company issued a fix for an “object lifecycle issue in audio” (CVE-2021-21166) which it said was being actively exploited. Then on February 4, the company resolved another actively-exploited heap buffer overflow flaw (CVE-2021-21148) in its V8 JavaScript rendering engine.

Chrome users can update to the latest version by heading to Settings > Help > About Google Chrome to mitigate the risk associated with the flaw.

Source…


[the_ad_group id="27628"]

Another Chrome zero-day exploit – so get that update done! – Naked Security

Opt-in to Cyber Safety. Multiple layers of protection for your devices, online privacy and more.


Almost exactly a month ago, or a couple of days under an average month given that February was the short one, we warned of a zero-day bug in Google’s Chromium browser code.

Patch now, we said.

And we’re saying it again, following Google’s otherwise cheery release of version 89.0.4389.72:

The Chrome team is delighted to announce the promotion of Chrome 89 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

We’ve never quite understood Google’s mention of rolling out updates over “days/weeks” in an update that includes 47 security fixes, of which eight have a severity level of High.

In fact, we suggest going out manually and making sure you’ve got your Chrome update already, without waiting for those day/weeks to elapse until the update finds you.

If you’re using a Chromium-based product from another browser maker, check with that vendor for information about whether their build is affected by this bug, and if so whether the patch is downloadable yet.