Google patches two Chrome zero-days

Researchers said this was the 10th zero-day exploit that Google had patched this year.
Written by Jonathan Greig, Contributor

On Monday, Google announced fixes for 11 different bugs in Chrome, including two zero-days currently being exploited in the wild. 

Google listed all 11 of the fixes as well as the researchers who discovered them and the bounties handed out. But the two that caused the most stir were CVE-2021-30632 and CVE-2021-30633. 

"Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild," Google explained. The two vulnerabilities were the only ones that were listed as being submitted anonymously on September 8.

Google added that CVE-2021-30632 related to an "out of bounds write in V8", and CVE-2021-30633 concerned a "use after free in Indexed DB API."

As part of the Stable channel update to 93.0.4577.82 for Windows, Mac and Linux, Google said, all of the updates will roll out over the coming days and weeks.

Kevin Dunne, president at Pathlock, said this was the 10th zero-day exploit that Google had patched this year. 

"This milestone highlights the emphasis that bad actors are putting on browser exploits, with Chrome becoming a clear favorite, allowing a streamlined way to gain access to millions of devices regardless of OS," Dunne said. 

"Google's commitment to patching these exploits quickly is commendable, as they operate Google Chrome as freeware and therefore are the sole entity who can provide these updates. We expect to see continued zero-day exploits in the wild, but we are confident Google will continue to place effort on security and providing timely patches to these exploits."

Browser bugs discovered from exploitation in the wild are among the most significant security threats, added John Bambenek, the principal threat hunter at Netenrich.

"Now that they are patched, exploitation will ramp up. That said, almost 20 years on and we haven't made web browsing safe shows that the rapid embrace of technology continues to leave users exposed to criminals and nation-state actors," Bambenek said. 

"Everyone wants to learn how to hack; too few people are working on defense."

Editorial standards