Google has rolled out Chrome 91.0.4472.101 for Windows, Mac, and Linux, which contains 14 security fixes, including a patch for a zero-day flaw exploited in the wild.
Tracked as CVE-2021-30551, the zero-day flaw is described as a type confusion issue within the V8 component in Google Chrome. A remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger a type confusion error and execute arbitrary code on the target system.
Google said it “is aware that an exploit for CVE-2021-30551 exists in the wild” without elaborating on the nature of the attacks, or who was behind them.
However, in a message on Twitter Shane Huntley, Director of Google's Threat Analysis Group, said that this zero-day flaw was exploited by the same threat actor together with the Windows CVE-2021-33742 zero-day patched by Microsoft as part of its June Patch Tuesday release.
“More details will be on CVE-2021-33742 will come from the team, but for context this seem to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting,” Shane Huntley wrote.
It’s worth noting that Microsoft’s June Patch Tuesday also includes fixes for two other Windows zero-days (CVE-2021-31955 and CVE-2021-31956) that were abused in attacks launched by a new threat actor dubbed PuzzleMaker.
“Once the attackers have used both the Chrome and Windows exploits to gain a foothold in the targeted system, the stager module downloads and executes a more complex malware dropper from a remote server,” Kaspersky wrote in a blog post.
"This dropper then installs two executables, which pretend to be legitimate files belonging to Microsoft Windows OS. The second of these two executables is a remote shell module, which is able to download and upload files, create processes, sleep for certain periods of time, and delete itself from the infected system."