Google pushes emergency update for Chrome zero-days, the latest in a hectic year for vulnerabilities

Google Chrome has issued emergency updates for two zero-day flaws that attackers are exploiting, the second pair for the browser in a month.

It’s been a record year for such flaws, which previously unknown to the vendor. Chrome itself has caught 12 zero-days to date in 2021 compared to eight in all of 2020, according to Google’s Project Zero “0day in the Wild” database, which tracks zero-days.

By many measurements, Chrome is the world’s most popular browser, with one report putting its user count at nearly 3.3 billion. That makes it a lucrative target for hackers. There doesn’t appear to be just one answer for the rise in zero-days in 2021, even as more people seem to invest in hacking techniques. Defenders are also improving their own detection skills.

“Google is aware the exploits” for the two flaws “exist in the wild,” the company wrote on Thursday.

Google otherwise didn’t provide many details about the flaws. One, deemed high severity, was a kind of memory-corruption bug. Google Threat Analysis Group discovered it. Five of this year’s Chrome zero-days have been of this type, known as “use after free.”

The other zero-day, deemed medium severity, was related to “information leak in core.” An anonymous contributor uncovered that one.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google wrote. “We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”

In other recent zero-day news, a researcher who uncovered three such flaws in iOS15 published them and expressed frustration at Apple for allegedly ignoring him. Apple said it was still investigating the zero-days.