Security News > 2021 > June > Chrome zero-day, hot on the heels of Microsoft’s IE zero-day. Patch now!
Microsoft's Patch Tuesday announcement was bad enough, with six in-the-wild vulnerabilities patched, including one buried in the vestiges of Internet Explorer's MSHTML web rendering code.
It's been followed by Google's latest Chrome security advisory, which includes a zero-day patch to Chrome's JavaScript engine amongst its 14 officially listed security fixes.
A fuzzer might start with a known-good input file that you would expect to be processed correctly, without triggering any bugs, and progressively make a series of unusual or otherwise unlikely changes in the file, thus testing a program's error-checking code much more broadly and deeply than hand-crafted files could manage.
This bug is listed as a "Type confusion in V8", where V8 is the part of Chrome that runs JavaScript code, and type confusion means that you can feed V8 one sort of data item but trick JavaScript into handling it as if it were something else, possibly bypassing security checks or running unauthorised code as a result.
As you probably know, JavaScript security holes that can be triggered by JavaScript code embedded in a web page often result in RCE exploits, or remote code execution.
Google isn't saying whether the CVE-2021-30551 bug can be used for full-on remote code execution - which, in the context of a browser, usually means that you are vulnerable to a drive-by download. A drive-by means that merely viewing a website, without clicking on any popups or seeing any "Are you sure?" warnings, could allow crooks to run rogue code invisibly and implant malware on your computer.
News URL
Related news
- Microsoft October 2024 Patch Tuesday fixes 5 zero-days, 118 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 91 flaws (source)
- Microsoft November 2024 Patch Tuesday fixes 4 zero-days, 89 flaws (source)
- Microsoft patches two zero-days exploited in the wild (CVE-2024-43573, CVE-2024-43572) (source)
- Microsoft cleans up hot mess of Patch Tuesday preview (source)
- Week in review: Microsoft fixes two exploited zero-days, SOC teams are losing trust in security tools (source)
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- Microsoft SharePoint RCE flaw exploits in the wild – you've had 3 months to patch (source)
- Microsoft fixes actively exploited zero-days (CVE-2024-43451, CVE-2024-49039) (source)
- Microsoft slips Task Manager and processor count fixes into Patch Tuesday (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-06-15 | CVE-2021-30551 | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 91.0.4472.101 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |