Chrome's zero-day patch contains 14 important security fixes

Reading time icon 3 min. read

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team Read more

Key notes

  • Google releases Chrome security advisory, which includes a zero-day patch to Chrome’s JavaScript engine.
  • CVE-2021-30551 gets a high rating, with only one bug that isn’t in the wild, exploited by malicious third parties.
  • According to Google, Access to bug details and links may be kept restricted until a majority of users are updated with a fix.
  • The CVE-2021-30551 bug is listed by Google as type confusion in V8, meaning that JavaScript security can be bypassed for running unauthorized code.
Chrome zero day

Users are still dwelling on the previous Microsoft Patch Tuesday announcement, which was pretty bad in their opinion, with six in-the-wild vulnerabilities patched.

Not to mention the one buried deep within the vestiges of Internet Explorer’s MSHTML web rendering code.

14 security fixes in one single update

Now, Google releases Chrome security advisory, which you might want to know includes a zero-day patch (CVE-2021-30551) to Chrome’s JavaScript engine, amongst its other 14 officially listed security fixes.

For those who are still not familiar with the term, Zero-day is an imaginative time, as this type of cyberattack happens in less than a day since the awareness of the security flaw.

Therefore, it doesn’t give the developers nearly enough time to eradicate or mitigate the potential risks associated with this vulnerability.

Similar to Mozilla, Google also clusters together other potential bugs it has found using generic bug-hunting methods, listed as Various fixes from internal audits, fuzzing, and other initiatives.

Fuzzers can produce if not millions, hundreds of millions of test inputs over the span of the proving run.

However, the only information they need to store is in the cases that cause the program to misbehave, or crash.

This means that they can be used later on in the process, as starting points for the human bug hunters, which will also conserve a lot of time and manpower.

Bugs are being exploited in the wild

Google starts by mentioning the zero-day bug, stating that they are] aware that an exploit for CVE-2021-30551 exists in the wild.

This particular bug is listed as type confusion in V8, where V8 represents the part of Chrome that runs JavaScript code.

Type confusion means that you can provide V8 with one data item, while tricking JavaScript into handling it as if it were something totally different, potentially bypassing security or even running unauthorized code.

As most of you might know, JavaScript security breaches that can be triggered by JavaScript code embedded in a web page, more than often result in RCE exploits, or even remote code execution.

With all this being said, Google isn’t clarifying whether the CVE-2021-30551 bug can be used for hardcore remote code execution, which usually means that users are vulnerable to cyber-attacks.

Just to get an idea of how serious this is, imagine surfing a website, without actually clicking on any popups, could allow malicious third parties to run code invisibly, and implant malware on your computer.

Thus, CVE-2021-30551 only gets a high rating, with merely a bug that isn’t in the wild (CVE-2021-30544), classified as critical.

It could be that the CVE-2021-30544 bug had the critical mention attributed to it because it could be exploited for RCE.

However, there’s no suggestion that anyone other than Google, as well as the researchers that reported it know how to do that, for the moment.

The company also mentions that access to bug details and links may be kept restricted until a majority of users are updated with a fix

What is your take on the latest zero day patch by Google? Share your thoughts with us in the comments section below.