EXECUTIVE SUMMARY
Google has issued a warning regarding a serious vulnerability in their Chrome browser (affecting Windows, Mac, and Linux) that could potentially allow a malicious actor to take full control over a machine. Google urges users to update their browsers immediately. Currently it’s estimated that about 2 billion Chrome browser installs are vulnerable.
IMPACT
At this point, Google has not issued many details about the exploit in an attempt to reduce attention and reduce the overall number of potential attempts to abuse this vulnerability. It is known that this vulnerability can be leveraged to gain complete control over an affected machine.
DETAILED ANALYSIS
No detailed analysis available at this point. It is known that this vulnerability (CVE-2021-30563) affects core components in Chrome. "Type Confusion V8” (the core engine of JavaScript in Chrome), WebRTC, Graphics Engine, Printing, and audio and streaming components. Google references following related articles:
High — CVE-2021-30598: Type Confusion in V8. Reported by Manfred Paul
High — CVE-2021-30599: Type Confusion in V8. Reported by Manfred Paul
High — CVE-2021-30600: Use after free in Printing. Reported by 360 Alpha Lab
High — CVE-2021-30601: Use after free in Extensions API. Reported by 360 Alpha Lab
High — CVE-2021-30602: Use after free in WebRTC. Reported by Cisco Talos
High — CVE-2021-30603: Race in WebAudio. Reported by Google Project Zero
High — CVE-2021-30604: Use after free in ANGLE. Reported by SecunologyLab
INDICATORS OF COMPROMISE
Chrome versions earlier than 92.0.4515.159 means that the browser is vulnerable. You can check chrome version by navigating to (Settings > Help > About Google Chrome).
MITIGATION STEPS
Manually update Google Chrome browser.
On your computer, open Chrome.
- At the top right, look at More.
- If an update is pending, the icon will be colored:
Green: An update was released less than 2 days ago.
Orange: An update was released about 4 days ago.
Red: An update was released at least a week ago.
To update Google Chrome:
- On your computer, open Chrome.
- At the top right, click More.
- Click Update Google Chrome.
- Important: If you can't find this button, you're on the latest version.
- Click Relaunch.
SOURCES
CONTRIBUTING AUTHORS
- Stephen Jones, Senior Director Cybersecurity
- Maximo Bredfeldt, vCISO
- Susan Verdin, Cybersecurity Analyst