A Google Chrome Zero-Day Security Flaw Is Under Active Attack, Update ASAP
There is a security update available for Google's popular Chrome browser, and you should apply it sooner than later. That is because it stomps out more than a dozen bugs, one of which Google says it is aware of being actively attacked the wild. That particular one is a zero-day exploit with a 'High' security rating, and is tracked as CVE-2021-30551.
Most of the details of the actively exploited attack vector remain a secret. It is normal for Google to restrict access to bug details (and associated links with more information about them) until a majority of Chrome users are patched and no longer vulnerable. That is the situation with CVE-2021-30551.
"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed," Google explains.
All we know about CVE-2021-30551 is that it is a "type confusion" exploit in V8, which is Google's open source JavaScript and WebAssembly engine that powers its Chrome browser. It was discovered and reported to Google by Clement Lecigne, who is part of Google's Threat Analysis Group, and Sergei Glazunov from Google's Project Zero team.
Another member of the Threat Analysis Group, Shane Huntley, stated on Twitter that the "in-the-wild vulnerability CVE-2021-30551 patched today was also from the same actor" who leveraged CVE-2021-33742, a remote code execution vulnerability that Microsoft recently patched in various Windows builds.
How To Patch Chrome's Zero-Day Vulnerability That Is Active Being Attacked
It's not clear if the security updates in the latest build have also been applied to Chrome on mobile and/or Chromium-based browsers like Microsoft Edge. As for Chrome on the desktop, you can check for and apply the latest update by clicking on the three vertical dots in the upper-right corner, then navigate to Help > About Google Chrome.
You will then have the option to apply an update, if one is available. At the time of this writing, the latest Chrome build (and the one that is patched against the zero-day exploit) is 91.0.4472.101.
