image
Google has addressed two zero-day security bugs that are being actively exploited in the wild. As part of the internet giant’s latest stable channel release (version 93.0.4577.82 for Windows, Mac and Linux), it fixed 11 total vulnerabilities, all of them rated high-severity. The two zero days are tracked as CVE-2021-30632 and CVE-2021-30633. “Google is aware that exploits for [these] exist in the wild,” the company said in its short website notice on the update, issued Monday. Google is restricting any technical details “until a majority of users are updated with a fix,” it said. The vulnerabilities were reported anonymously, precluding any gleaning of details from the researcher who found them. Here’s what we know: CVE-2021-30632: Out of bounds write in V8 JavaScript Engine; and CVE-2021-30633: Use after free in the IndexedDB API. Out-of-bounds write flaws can result in corruption of data, a crash or code execution. Use-after-free issues can result in any number of attack types, ranging from the corruption of valid data to the execution of arbitrary code. Both bugs have TBD bug-bounty awards attached to them and were reported on Sept. 8. V8 is Google’s open-source, high-performance JavaScript and WebAssembly engine for Chrome and Chromium-based browsers. It translates JavaScript code into a more efficient machine code instead of using an interpreter, which speeds up the web browser. Since this vulnerable components is not specific to Google Chrome, it’s a good bet that…

Source