Users-and the Google Chrome brand-seem unaffected. With so much bad PR, you might expect Chrome's market share to suffer yet, it remains by far the most popular browser. Previous patches are from the following vulnerabilities, some of which we have covered here in the Malwarebytes Labs blog: To date, the Google Chrome team has patched 11 zero-day vulnerabilities in 2021. How much? According our quick-and-dirty testing, turning off the JIT compiler makes JavaScript execution twice as slow in Edge. Just-in-time compilation is an important performance feature and turning it off is a direct trade of speed for security. So significant in fact, that in August Microsoft-whose Edge browser is based on Chrome-announced an experimental project called Super Duper Secure Mode that aims to tackle the rash of V8 problems by simply turning an important part of it off.Ī little under half of the CVEs issued for V8 relate to its Just-in-Time (JIT) compiler, and more than half of all ‘in-the-wild’ Chrome exploits abuse JIT bugs. These components need to accommodate frequent updates and adhere to a bewildering array of web standards, while also being both fast and secure.Ĭhrome's V8 JavaScript engine has been a significant source of security problems. Nobody will be surprised to see that one of the in-the-wild exploits affects Chrome's V8 engine.Īt the heart of every modern web browser sits a JavaScript interpreter, a component that does much of the heavy lifting for interactive web apps. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed. Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. The former is an "Out of bounds write" flaw in the V8 JavaScript engine and the latter is a "Use after free" bug in the Indexed DB API.īecause threat actors are currently exploiting the two aforementioned vulnerabilities, Google provides little to no information on how the attacks against these weaknesses are being carried out, or other precautionary measures users should be looking out for. The two vulnerabilities that are being actively exploited-namely, CVE-2021-30632 and CVE-2021-30633-were submitted anonymously. That said, the company has included names of the researchers who found the flaws in their announcement. The fixes address high severity vulnerabilities reported to Google by independent researchers from as early as August of this year. The About Google Chrome screen tells you what version you are running and whether it is up to date
0 kommentar(er)
