AVAILABLE CHROME 89
Google announced this week the availability of Chrome 89 on the stable channel, patched for a total of 47 vulnerabilities, including one that has been openly exploited online. Tracked as CVE-2021-21166, the zero-day security hole is described as a "life cycle problem of objects in the audio system" and is categorized as high gravity.
The ruling was notified by Alison Huffman of Microsoft Browser Vulnerability Research, and it's the second of its kind to be addressed in Chrome 89, alongside CVE-2021-21165, also classified as high risk.
“Google is aware of reports that there is a exploit for CVE-2021-21166 going around online »
The internet giant noted, without providing further details on the exploitation, impact or attack vectors.
The bug is just one of 32 that were reported by outside researchers and patched with the release of Chrome 89. Among them are 8 issues rated high severity, 15 rated medium severity, and 9 rated low severity.
The remaining 6 high severity issues include stack buffer overflows in TabStrip (CVE-2021-21159, CVE-2021-21161) and WebAudio (CVE-2021-21160), a use-after-free in WebRTC (CVE-2021-21162) and insufficient data validation in Reader Mode (CVE-2021-21163) and in Chrome for iOS (CVE-2021-21164).
The medium severity bugs that have been fixed with this release are as follows:
- Post-release usage errors in bookmarks, network internals, and tab search.
- Insufficient enforcement of policies in the application cache, in the file system API, and in the autofill feature.
- Memory access out of bounds in V8.
- Wrong security UI on loader and tab strip and navigation.
- Side channel information leakage in the internal components of the network and in the autofill function.
- Inappropriate implementations in Referrer, Site isolation, in full screen mode and in composition.
- Fix for a stack buffer overflow in OpenJPEG.
Low risk bugs fixed with this browser update include insufficient policy enforcement, improper implementation, insufficient data validation, feature fixes use-after-free and usage problems before browser initialization.
Google claims it has paid out more than $ 60,000 in bug bounties to reporting researchers. However, the company has yet to disclose the rewards paid for about half of the externally reported vulnerabilities.