Google has released Chrome 91.0.4472.164 for Windows, Mac and Linux to fix seven vulnerabilities, one of which is a zero-day vulnerability with high severity exploited in nature.
“Google is aware of reports that exploitation of CVE-2021-30563 exists in nature,” the company revealed.
The new Chrome release has started rolling out worldwide to the stable desktop channel and will be available to all users in the coming days.
Google Chrome automatically updates itself at the next launch, but you can also update it manually by checking for the newly released version from Settings> Help> ̵
Eighth utilized zero-day note this year
Although confusion-type vulnerabilities will generally lead to browser crashes after successful utilization by reading or writing memory outside the limits of the buffer, they can also be exploited by threat actors to execute arbitrary code on devices running vulnerable software.
While Google said it was aware of CVE-2021-30563 being wildly exploited, it did not share information about these attacks to allow the security update to be deployed on as many systems as possible before multiple threat actors begin to actively abuse.
“Access to error details and links may be restricted until a majority of users are up to date with a solution,” said Google.
“We will also retain restrictions if the error exists in a third-party library that other projects are similarly dependent on, but which has not yet been resolved.”
In total, Google has patched eight Chrome zero-day bugs exploited by attackers in the wild since the beginning of 2021. In addition to CVE-2021-30563, the company previously addressed:
Learn more about previously updated Chrome null days
The Google Threat Analysis Group (TAG) shared further details earlier this week regarding the exploitation of CVE-2021-21166 and CVE-2021-30551 Chrome zero-days.
“Based on our analysis, we consider that the Chrome and Internet Explorer utilities described here were developed and sold by the same vendor that provided monitoring capabilities to customers around the world,” said Google.
On Thursday, Microsoft and the Citizen Lab vendor mentioned in the Google TAG report linked to Israeli spyware vendor Candiru
Threat actors deployed surveillance vendor spyware to infect iOS, Android, macOS, and Windows devices using Chrome zero-days and Windows unpatched bugs.
Microsoft researchers found that Candirus malware was used to compromise the systems of “politicians, human rights activists, journalists, academics, embassy workers and political dissidents.”
In all, Microsoft said it detected “at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia and Singapore.”