Cyber Security

Chrome 95 Replace Patches Exploited Zero-Days, Flaws Disclosed at Tianfu Cup

A Chrome 95 replace launched by Google on Thursday patches two actively exploited Chrome vulnerabilities, in addition to flaws that have been disclosed lately at a Chinese language hacking contest.

The actively exploited vulnerabilities are tracked as CVE-2021-38000, which has been described as an inadequate validation of untrusted enter in Intents, and CVE-2021-38003, an inappropriate implementation subject affecting the V8 JavaScript engine. CVE-2021-38000 was found in September and CVE-2021-38003 was recognized simply three days in the past.

Google workers have been credited for each zero-day vulnerabilities. No info has been made accessible concerning the assaults during which these vulnerabilities have been exploited.

Greater than a dozen Chrome vulnerabilities found this 12 months have been exploited within the wild, based on information from Google’s Challenge Zero group.

The newest Chrome 95 replace contains eight security fixes, together with no less than seven categorised as excessive severity. Wei Yuan of MoyunSec VLab earned $10,000 for a use-after-free bug, and whereas that’s the highest bounty awarded by Google, two of the CVEs patched this week earned two analysis groups a complete of $300,000 on the Tianfu Cup hacking contest that befell lately in China.

The Kunlun Lab and 360 Alpha Lab groups every earned $150,000 for Chrome exploit chains that achieved distant code execution with a sandbox escape. The rewards have been paid out by the organizers of Tianfu Cup — Google doesn’t pay out separate rewards for vulnerabilities disclosed at hacking competitions resembling Tianfu Cup and Pwn2Own.

SecurityWeek has realized that the Kunlun Lab exploit additionally concerned a Home windows kernel bug that has but to be patched.

On the Tianfu Cup, members earned a complete of $1.9 million for demonstrating exploits focusing on Home windows 10, Ubuntu, iOS 15 on iPhone 13 Professional, Microsoft Change, Chrome, Safari, Adobe Reader, Parallels Desktop, QEMU, Docker, VMware ESXi and Workstation, and ASUS routers.

Associated: Google Patches Two More Exploited Zero-Day Vulnerabilities in Chrome

Associated: Chrome 94 Update Patches Actively Exploited Zero-Day Vulnerability

Associated: Google Warns of Exploited Zero-Days in Chrome Browser

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He labored as a highschool IT trainer for 2 years earlier than beginning a profession in journalism as Softpedia’s safety information reporter. Eduard holds a bachelor’s diploma in industrial informatics and a grasp’s diploma in laptop methods utilized in electrical engineering.

Earlier Columns by Eduard Kovacs:

Source link