Google announced the release of an emergency update to address four critical security flaws in the Chrome browser whose exploitation would allow threat actors to infiltrate the systems of affected users. According to various members of the cybersecurity community, the finding of these flaws is revealed just days after Google addressed the thirteenth zero-day flaw found in the browser during 2021.
Google’s security report does not include technical details about the problems found, as it only mentions that the latest update includes a total of four security patches that must be installed immediately.
Some researchers note that the most severe flaw, tracked as CVE-2021-37978 is a stack-based buffer overflow, while another severe flaw (CVE-2021-3977) resides in the Garbage Collection feature. This security flaws have no Common Vulnerability Scoring System (CVSS) assigned yet.
Another report states that successful exploitation of these vulnerabilities would allow threat actors to create malformed code signatures in order to evade security mechanisms such as OpenSSL. In addition, this report mentions that Windows also considers the malicious signature valid, which makes it a possible method of data exfiltration.
The researchers also note that threat actors can use this attack technique in Chrome for attacks in the implementation of OpenSUpdater, categorized as risky software that includes ads to Chrome users to install applications of dubious reputation.
Finally, the researchers revealed that such a technique mainly applies to users in the United States who usually download gaming apps or pirated software. Google’s latest warning comes after the tech giant announced two vulnerabilities a couple weeks ago.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science at Miami and started working as a cyber security analyst in 2008. He is actively working as an cyber security investigator. He also worked for security companies like Cisco. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.