A new stable release for Google chrome browser has been released on 13th September. The latest stable release version of Google Chrome browser for Windows, Mac and Linux is now the 93.0.4577.82 version. The previous version was 93.0.4577.63.
While most users do ensure that the chrome browser on the desktop updates, do make sure that you have updated the browser on your mobile phone as well. Else, your mobile phone will be prone to security incidents and risks. Please do update Chrome from the Google Play store to ensure that the mobile browser also upgrades to Chrome version 93.0.4577.82.
Aside from the bug fixes and product improvements, the latest release of Google Chrome mitigates a few outstanding security issues and vulnerabilities. We can see that the latest release addresses 11 vulnerabilities that include 9 high level or high severity vulnerabilities. All these vulnerabilities on the browser engine have been detected between the month of August and the first ten days of September 2021. Most of these vulnerabilities do not have publicly available records. This is on expected lines, as vulnerability disclosure will take place after the risk has been amply mitigated in the browser engine of Chrome.
Below, we list some of these reported vulnerabilities that have been taken care of in the latest stable release version 93.0.4577.82.
CVE-2021-30625 – Use after free in Selection API
While not much is known about this CVE listing, we know that this is a bug on Chrome found by Marcin Towalski of Cisco Talos. It was first reported on 6th August, and has been fixed in the latest stable release of Chrome browser. This vulnerability has a HIGH severity or impact for your IT infrastructure. The type of this vulnerability is ‘Use after free in Selection API’. This would essentially imply that an attacker could Use after free (UAF) in Extensions API in Google Chrome and potentially exploit heap corruption via a crafted HTML page.
CVE-2021-30626 – Out of bounds memory access in ANGLE
This is another HIGH severity vulnerability that has been detected by Jeonghoon Shin of Theori and reported on 18th August. The type of this vulnerability is ‘Out of bounds memory access in ANGLE’. This would mean that an attacker could potentially potentially perform out of bounds memory access via a crafted HTML page.
CVE-2021-30627: Type Confusion in Blink layout
The vulnerability corresponding to ‘Type confusion in blink layout’ has been reported by Aki Helin of OUSPG on 1st September. This vulnerability is also called as a type confusion vulnerability and usually follows-up with the UAF vulnerability. It has been exploited in the past, and also in the Chrome version 93.0.4577.63. It allows remote attackers to access user data in an unauthorized way. The attackers can deploy malicious code through this vulnerability.
The type confusion vulnerability is a HIGH impact vulnerability and has the potential to cause data theft and malicious payloads to be installed.
CVE-2021-30628 – Stack buffer overflow in ANGLE
Another HIGH impact vulnerability on the Chrome browser has been resolved in the latest version of Chrome. This vulnerability is a classic buffer overflow vulnerability that seeks to write code beyond the program’s stack to cause a buffer overflow. Your applications’s stack will get compromised on account of the buffer overflow vulnerability. It could potentially lead to remote code execution by the attacker.
While no details of the CVE-2021-30628 have been made available, the fix in the latest Chrome versions comes in handy for the browser engine. This vulnerability was detected by Jaehun Jeong(@n3sk) of Theori and reported on 18th August.
CVE-2021-30629 – Use after free in Permissions
This vulnerability was reported on 26th August by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group. This weakness on the Chrome browser implies that the remote attacker could use the inputs to manipulate the memory and corrupt the memory space. Effects could include privilege escalation by the attacker.
Public details of the vulnerability are not available. However, it remains a HIGH impact vulnerability that must be patched on an immediate basis through an upgrade of Chrome browser to the 93.0.4577.82 version.
CVE-2021-30630: Inappropriate implementation in Blink
This vulnerability has been reported by SorryMybad of Kunlun Lab on 30th August. It is a HIGH impact vulnerability that can impair IT infrastructure. The inappropriate implementation in Blink involves considerable information disclosure as there is a potential of data theft. The vulnerability allows a remote attacker to bypass same origin policy via a crafted HTML page.
This is one of the common types of vulnerabilities that has been used in the past to attack the Chrome browser engine. Thankfully, the current vulnerability has been cleaned off in the latest Chrome version 93.0.4577.82.
CVE-2021-30631: Type Confusion in Blink layout.
This HIGH impact vulnerability was first reported by Atte Kettunen of OUSPG on 6th September. Again, a standard type confusion vulnerability that can be used by attackers to compromise the target system. An attacker could use this vulnerability to access data on the target system or to deploy malicious payloads on the target system. Details of the vulnerability are not publicly available on the CVE listing for obvious reasons.
High CVE-2021-30632: Out of bounds write in V8
This is a critical zero-day vulnerability on the Chrome browser engine version 93.0.4577.63. It was reported by an anonymous user on 8th September and has been patched in the latest stable release 93.0.4577.82. This vulnerability can be used by a remote attacker to potentially exploit heap corruption via a crafted HTML page. The impact or severity is critical and this vulnerability ought to be patched immediately through the upgrade to Chrome stable release version 93.0.4577.82. The vulnerability is of the type -remote code execution as the attackers could deploy malicious payloads on the target system.
Get this vulnerability cleared on an immediate basis.
High CVE-2021-30633: Use after free in Indexed DB API
Following up with the previous critical zero-day vulnerability, we got another critical zero-day vulnerability in the form of ‘Use after free’ exploit that targets the database API. IndexedDB is a low-level API for client-side storage of significant amounts of structured data, including files/blobs. UAF exploit that targets this database API can leave your data totally compromised and allow the attackers to manipulate the data in the database.
The vulnerability was first reported on 8th September, and given the nature and impact of this vulnerability, it has been closed by Google in the Chrome browser through the latest stable release version 93.0.4577.82.
How do I update Chrome browser on my computer?
Unless your system administrators upgrade Chrome browser through system policies, you can easily upgrade the Chrome browser by:
- Click on the 3 dots on the Chrome menu bar
- Click on Help —- > About Chrome
- This will show the current version of the Chrome browser and perform an automatic update on the Chrome browser engine
- Once the upgrade completes, the Chrome browser will restart to make the updated version work on the system
Summary –
The September stable release of Chrome version 93.0.4577.82 addresses 11 issues on the Chromium project. 2 of these are zero-day exploits with critical impact on the infrastructure. We suggest updating Chrome on your systems on an immediate basis to close 9 of these high or critical vulnerabilities.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.