- CVE-2021-30551 gets a high rating, with only one bug that isn’t in the wild, exploited by malicious third parties.
- According to Google, Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
Users are still dwelling on the previous Microsoft Patch Tuesday announcement, which was pretty bad in their opinion, with six in-the-wild vulnerabilities patched.
Not to mention the one buried deep within the vestiges of Internet Explorer’s MSHTML web rendering code.
14 security fixes in one single update
For those who are still not familiar with the term, Zero-day is an imaginative time, as this type of cyberattack happens in less than a day since the awareness of the security flaw.
Therefore, it doesn’t give the developers nearly enough time to eradicate or mitigate the potential risks associated with this vulnerability.
Similar to Mozilla, Google also clusters together other potential bugs it has found using generic bug-hunting methods, listed as Various fixes from internal audits, fuzzing, and other initiatives.
Fuzzers can produce if not millions, hundreds of millions of test inputs over the span of the proving run.
However, the only information they need to store is in the cases that cause the program to misbehave, or crash.
This means that they can be used later on in the process, as starting points for the human bug hunters, which will also conserve a lot of time and manpower.
Bugs are being exploited in the wild
Google starts by mentioning the zero-day bug, stating that they are] aware that an exploit for CVE-2021-30551 exists in the wild.
With all this being said, Google isn’t clarifying whether the CVE-2021-30551 bug can be used for hardcore remote code execution, which usually means that users are vulnerable to cyber-attacks.
Just to get an idea of how serious this is, imagine surfing a website, without actually clicking on any popups, could allow malicious third parties to run code invisibly, and implant malware on your computer.
Thus, CVE-2021-30551 only gets a high rating, with merely a bug that isn’t in the wild (CVE-2021-30544), classified as critical.
It could be that the CVE-2021-30544 bug had the critical mention attributed to it because it could be exploited for RCE.
However, there’s no suggestion that anyone other than Google, as well as the researchers that reported it know how to do that, for the moment.
The company also mentions that access to bug details and links may be kept restricted until a majority of users are updated with a fix
What is your take on the latest zero day patch by Google? Share your thoughts with us in the comments section below.