Posted on August 21, 2021 at 10:59 AM
Those using Google Chrome browser have been advised to upgrade their browser to avoid becoming victims of the latest attack. Hackers discovered a massive security flaw on the Google Chrome browser that can be explored.
In a high severity security advisory, the Indian Computer Emergency Response Team (CERT-In) stated that multiple bugs have been reported in Google Chrome which can be exploited by threat actors remotely to compromise a system.
According to the researchers, the bug is found in Google Chrome due to incorrect security UI, unreachable write error in Tab Groups, or buffer overflow error in Bookmarks.
iOS and iPad have active vulnerabilities
CERT-In explained how threat actors could exploit the vulnerabilities by executing a uniquely crafted document. If the threat actor succeeds in such exploitation, it could enable the hacker to compromise the targeted system, the researchers noted.
CERT-In had recently warned iPad and iPhone users to update their devices to iPadOS 14.7.1 and iOS 14.7.1 as soon as possible. According to the researchers, both the iPadOS and iOS have active vulnerabilities that are currently exploited in the wild.
CERT-In also warned about the recently found memory corruption bug. The affected devices include iPad Air 2, iPad Pro (all models), and iPhone 6s, and the latest versions. Others include iPod touch (7th generation), iPad mini 4 and later versions, and iPad 5th generation and later versions.
The Google team fixed the last batch of flaws only two weeks ago. So, the discovery of the new vulnerability is proof that the Google Chrome browsers are no longer as safe as they used to be.
The US Cybersecurity and Infrastructure Security Agency (CISA) has also advised administrators to apply the required updates for preventing any exploitation of their systems.
Users should watch out for more updates
Google wants to roll out its latest update to all Linux, Mac, and Windows users in the coming days and weeks.
Srinivas Sista, Google Chrome’s technical programmer, posted that nine of the security flaws have been fixed in the most recent update. However, of these fixes, seven have been rated very high by the researchers outside of Google.
Manfred Paul, one of the security researchers responsible for discovering two high-severity bugs, stated that a threat actor could gain unauthorized access to systems through the vulnerabilities.
The security researcher, who was awarded $21,000 for his efforts, described the vulnerabilities as CVE-2021-30599 and CVE-2021-30598.
While analyzing the risk, Manfred stated that it would not be straightforward for the threat actors, because they would need to exploit another bug to stay hidden from the Chrome sandbox. While it may seem impossible, some highly experienced and technical threat actors could succeed, he stated.
The specific vulnerability has not been disclosed in full because it could give cybercriminals an idea of how to exploit them. But the researcher has explained it to the Google team in detail to enable them to discover and find patches to them.
Like other tech giants, Google runs a bug bounty program that awards hackers and security researchers that discover vulnerabilities that would have been otherwise exploited by threat actors. The idea is to give them a small financial reward to encourage their search for vulnerabilities in Google systems and apps. It makes the systems safer and saves Google a lot of headaches that could have been the case if they were exploited by bad actors.
No exploitation in the wild yet
The researchers have also stated that they haven’t seen the vulnerabilities being exploited in the wild yet. However, it doesn’t mean that all systems are safe. As the threat actors are aware of the vulnerabilities, they could intensify efforts to look for ways to exploit them. As a result, the best thing for Google Chrome users, according to the researchers, is to apply the updates as soon as possible.