Last Updated on 22/11/2021 by Sunaina
Google’s Chrome 95 update, released on Thursday, fixes two actively exploited Chrome vulnerabilities as well as flaws discovered recently at a Chinese hacking contest.
CVE-2021-38000, which has been described as an insufficient validation of untrusted input in Intents, and CVE-2021-38003, an inappropriate implementation issue affecting the V8 JavaScript engine, are the actively exploited vulnerabilities. CVE-2021-38003 was discovered just three days ago, while CVE-2021-38000 was discovered in September.
Both zero-day vulnerabilities were discovered by Google employees. There has been no information released about the attacks that exploited these vulnerabilities.
According to data from Google’s Project Zero group, more than a dozen Chrome vulnerabilities discovered this year have been exploited in the wild.
The most recent Chrome 95 update includes eight security fixes, at least seven of which are classified as high severity. While Wei Yuan of MoyunSec VLab earned $10,000 for a use-after-free bug, two of the CVEs patched this week earned two research teams a total of $300,000 at the Tianfu Cup hacking contest, which took place recently in China.
Each of the Kunlun Lab and 360 Alpha Lab teams received $150,000 for Chrome exploit chains that enabled remote code execution via a sandbox escape. Tianfu Cup organisers paid out the rewards — Google does not pay out separate rewards for vulnerabilities disclosed at hacking competitions such as Tianfu Cup and Pwn2Own.
According to SecurityWeek, the Kunlun Lab exploit also involved a Windows kernel bug that has yet to be patched.
Participants in the Tianfu Cup earned a total of $1.9 million for demonstrating exploits against Windows 10, Ubuntu, iOS 15 on iPhone 13 Pro, Microsoft Exchange, Chrome, Safari, Adobe Reader, Parallels Desktop, QEMU, Docker, VMware ESXi and Workstation, and ASUS routers.
