Share this article
Improve this guide
Chrome’s zero-day patch contains 14 important security fixes
3 min. read
Updated onOctober 4, 2023
updated onOctober 4, 2023
Share this article
Improve this guide
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Key notes
Users are still dwelling on the previous MicrosoftPatch Tuesday announcement, which was pretty bad in their opinion, with six in-the-wild vulnerabilities patched.
Not to mention the one buried deep within the vestiges of Internet Explorer’s MSHTML web rendering code.
14 security fixes in one single update
Now, Google releasesChrome security advisory, which you might want to know includes a zero-day patch (CVE-2021-30551) to Chrome’s JavaScript engine, amongst its other 14 officially listed security fixes.
For those who are still not familiar with the term,Zero-dayis an imaginative time, as this type of cyberattack happens in less than a day since the awareness of the security flaw.
Therefore, it doesn’t give the developers nearly enough time to eradicate or mitigate the potential risks associated with this vulnerability.
Similar to Mozilla, Google also clusters together other potential bugs it has found using generic bug-hunting methods, listed asVarious fixes from internal audits, fuzzing, and other initiatives.
Fuzzers can produce if not millions, hundreds of millions of test inputs over the span of the proving run.
However, the only information they need to store is in the cases that cause the program to misbehave, or crash.
This means that they can be used later on in the process, as starting points for the human bug hunters, which will also conserve a lot of time and manpower.
Bugs are being exploited in the wild
Google starts by mentioning the zero-day bug, stating that they are] aware that an exploit for CVE-2021-30551 exists in the wild.
This particular bug is listed astype confusion in V8, where V8 represents the part of Chrome that runs JavaScript code.
Type confusion means that you can provide V8 with one data item, while tricking JavaScript into handling it as if it were something totally different, potentially bypassing security or even running unauthorized code.
As most of you might know, JavaScript security breaches that can be triggered by JavaScript code embedded in a web page, more than often result in RCE exploits, or even remote code execution.
With all this being said, Google isn’t clarifying whether the CVE-2021-30551 bug can be used for hardcore remote code execution, which usually means that users are vulnerable to cyber-attacks.
Just to get an idea of how serious this is, imagine surfing a website, without actually clicking on any popups, could allow malicious third parties to run code invisibly, and implant malware on your computer.
Thus, CVE-2021-30551 only gets a high rating, with merely a bug that isn’t in the wild (CVE-2021-30544), classified as critical.
It could be that the CVE-2021-30544 bug had the critical mention attributed to it because it could be exploited for RCE.
However, there’s no suggestion that anyone other than Google, as well as the researchers that reported it know how to do that, for the moment.
The company also mentions that access to bug details and links may be kept restricted until a majority of users are updated with a fix
What is your take on the latest zero day patch by Google? Share your thoughts with us in the comments section below.
Vlad Turiceanu
Windows Editor
Passionate about technology,Windows, and everything that has a power button, he spent most of his time developing new skills and learning more about the tech world.
Coming from a solid background in PC building and software development, with a complete expertise in touch-based devices, he is constantly keeping an eye out for the latest and greatest!
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Vlad Turiceanu
Windows Editor
Coming from a solid background in PC building and software development, he’s a Windows 11 Privacy & Security expert.
