For the second time this month, Google fixed two unknown or “zero-day” security vulnerabilities in Chrome. These are already exploited by the attackers.
Google has released an update to the Chrome Stable Channel for Windows, Mac, and Linux machines to fix two zero-day glitches in the web’s most popular browser.
The update updates Chrome to version 94.0.4606.71. Due to the attacks, it is safe for organizations and consumers to update as soon as it is available. Google says the update will be rolled out in the “next days / weeks”.
Another medium severity vulnerability, known as CVE-2021-37976, is a “kernel information leak” and has been reported by Google’s Threat Analysis Group (TAG) with the help of Google Project Zero security researchers.
The 10th zero-day patch of the year
“Google is aware that exploits for CVE-2021-37975 and CVE-2021-37976 have been released,” the web giant said in its release notes.
With these last two flaws, Google has fixed 12 zero-day flaws in Chrome since the beginning of 2021, and two in Chrome since September 13, marking its 10th zero-day patch of the year.
TAG is the Google group that specializes in tracking government-backed groups of attackers. Previously, it discovered North Korean hackers’ activities and attacks on iOS and consumer browsers.
V8 bugs are particularly dangerous
Google Project Zero researcher Samuel Groß recently launched a project to fix V8 bugs, which he says are particularly dangerous.
“V8 bugs generally allow exceptionally powerful exploits to be built,” he warns. They are also resistant to modern hardware-assisted mitigation measures.
Details of the two new Chrome bugs have yet to be added to Google Project Zero’s zero-day tracker. After adding these bugs, the list will include a total of 48 zero-day vulnerabilities that have been exploited by attackers since the beginning of the year. These errors affected the software and hardware of Google, Apple, Adobe, Microsoft, Qualcomm and Arm.
Zero-day vulnerability growth
Project Zero and Google’s TAG indicate that there has been an increase in zero-day exploits this year, but what that means in terms of offense and defense is less clear.
“There is no one-to-one relationship between the number of zero-day vulnerabilities used by attackers and the number of zero-day vulnerabilities detected and disclosed. The attackers behind zero-day exploits generally want them to remain hidden and unknown, because that is how they are most useful, ”say Google security researchers.
The increase in the number of zero-day vulnerabilities could be explained by the fact that defenders are increasingly able to identify and detect them. But it could also be because attackers use them more frequently because there are more platforms to attack and more commercial companies selling governments access to zero-day vulnerabilities, reducing the need for technical skills to use them.