Patch Tuesday August 2021 – Several Chromium Security Updates Slated for Release. No Fix in Sight for PrintNightmare Vulnerability
PrintNightmare Unsolved. Microsoft to Fix Chromium UI Issues.
For August’s Patch Tuesday bout, Microsoft has greenlighted several security updates for its Chromium-based Edge browser. PrintNightmare is still a work in progress, with no foreseeable timeline. No major security updates have been announced for Microsoft’s Patch Tuesday August.
Patch Tuesday August 2021 – Highlights
As I’ve mentioned, nearly all of the disclosed August Patch Tuesday Updates pivot on Microsoft Edge’s Chromium engine. On July the 5th, Microsoft published seven security updates for Edge. The severity and impact meters are unavailable; however, according to the documentation, three out of seven updates revolve around various UI issues, while the others are meant to iron out defects such as Tab Strips read out-of-bound, Tab Groups write out-of-bound, File System API, and heap buffer overflow. All the details can be found below.
CVE-2021-30597 – Use after free in Page Info UI
The vulnerability may affect one or more UI framework components, potentially leading to memory corruption. An attacker could leverage this bug to remotely access a vulnerable host by using a ‘spiked’ HTML page to trigger a heap corruption. CVE-2021-30597 mostly impacted machines running Google Chrome versions lower than 92.0.4515.107. The vulnerability has been addressed in Chrome 92.0.4515.207.
CVE-2021-30596 – Incorrect security UI in Nav
A UI framework-related bug may be exploited by a malicious actor via content spoofing. CVE-2021-30956 leverages a security flaw discovered in the Navigation component of Opera, Vivaldi, and Chromium-based browsers. The issue was reported as fixed in Chromium 92.0.4515.107-3 and Vivaldi version 4.1.2369.15-1. However, not fixes are available for Opera versions prior to 78.0.4093.112-1.
CVE-2021-30594 – Use after free in Page Info UI
RCE (Remote Code Execution) vulnerability that allows an attacker to leverage the use-after-free error via crafted content (i.e. webpage). If exploited successfully, the attacker can run malicious code on the victim’s machine. CVE-2021-30594 affects older Chromium builds, including 79.0.309.71, 84.0.522.40, 86.0.622.51 etc. The defect was reported as fixed in version 92.0.4515.131, released on the 2nd of August 2021.
CVE-2021-30593 – Out of bounds read in Tab Strip
Data disclosure bug triggered by a security vulnerability discovered in Chromium’s Tab Strip component. If exploited, CVE-2021-30593 would allow a threat actor to exfiltrate sensitive information. The issue was flagged as ‘fixed’ in Chromium 92.0.4515.131-3 and Vivaldi 4.1.2369.15-1. No fix available thought for Opera 78.0.4093.112-1.
CVE-2021-30592 – Out of bounds write in Tab Groups
The vulnerability allows for Remote Code Execution on a target machine by leveraging the anomalous response returned when the browser processes an untrusted HTML page or HTML-type content. The issue affects multiple Chrome versions, including 7.0.517.41, 92.0.4515.107, 83.0.4103.61, etc., but has been resolve in Chromium 92.0.4515.131-3.
CVE-2021-30591 Use after free in File System API
RCE-type vulnerability leveraging the use-after-free security bug discovered in the File System API. If exploited, CVE-2021-30591 allows threat actors to run random code on the victim’s machine with elevated privileges. The issue was solved in Vivaldi 4.1.2369.15-1, Chromium 92.0.4515.107-3, but remains unsolved for Opera 78.0.4093.112-1.
Additional Cybersecurity Tips
Meanwhile, we’re still anxiously waiting for the PrintNightmare fix, a bug that has made (mostly) everyone boot Shadow Copies, postpone backups, and rethink ransomware protection. With mum’s the word, all we can do now is wait, wipe, and do whatever it takes to safeguard those business assets against whatever may come. So, on that note:
- Steer clear of suspicious links and emails received from unknown contacts.
- Don’t open email attachments without scanning them first.
- Download and apply the latest security patches and updates. You can do it in the old fashion style or jump into full-auto mode with a solution like Heimdal™ Patch & Asset Management. Your move.
- Access governance and identity-based management for the win.
Hope you’ve enjoyed this Patch Tuesday article and, as always, if you want to reach, don’t forget about our awesome comments sections.
Extra resources:
- Previous Patch Tuesday article.
- Andra Andrioaie’s take on PrintNightmare
- Auto-updating guide for Microsoft Optional Patches.