Google released a new version of Chrome for Windows, macOS, and Linux to address an actively exploited zero-day vulnerability and other security flaws in the web’s most popular browser.
The company said Chrome 91.0.4472.101 includes 14 security fixes related to vulnerabilities of varying severity; the zero-day vulnerability is known as CVE-2021-30551. It didn’t offer many details about the security flaw, which was reported by members of Google’s Threat Analysis Group and Google Project Zero on June 4, but it did say that it “is aware that an exploit for CVE-2021-30551 exists in the wild.”
Google Threat Analysis Group director Shane Huntley tweeted on June 9 that CVE-2021-30551 is related to a Windows vulnerability, CVE-2021-33742, that Microsoft patched the day prior. Huntley said that both vulnerabilities “seem to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting” and that Google plans to reveal more details about its findings.
BleepingComputer reported that Google has patched five other actively exploited zero-day vulnerabilities in Chrome this year. It also noted that Google’s patch arrived a day after Kaspersky revealed the existence of PuzzleMaker, a threat actor said to have conducted “a wave of highly targeted attacks against multiple companies” that “exploited a chain of Google Chrome and Microsoft Windows zero-day exploits” in April.
Google listed 10 other flaws addressed by Chrome 91.0.4472.101 in the update’s release notes. Two were said to be of medium severity, seven of high severity, and one of critical severity as defined by the Google Chromium Severity Guidelines for Security Issues. More information about the flaws, their CVE identifiers, and the amount Google will pay the researchers who discovered them can be found in the release notes.
Chrome 91.0.4472.101 is available now. Google said the update “will roll out over the coming days/weeks” to Chrome users who rely on automatic updates to receive the latest version of the browser, but those willing to install the update themselves can do so by following the instructions on the Chrome website.
