Google’s Chrome Browser Is Under Active Attack, Patch Now
In mid-September, Google patched some actively exploited zero-day vulnerabilities discovered in Google Chrome. Now, the web search giant has done it again with several new security fixes in the 11th hour of September, and you should patch right now.
Published on Thursday, the stable channel update for Google Chrome, denoted by version number 94.0.4606.71, has quite a few fixes or changes. However, the four security fixes are front and center, the first of which being CVE-2021-37974 reported by Weipeng Jiang from the Codesafe Team of Legendsec at Qi'anxin Group.
This vulnerability is a "use after free" issue, meaning problems stem from using dynamic memory allocation and deallocation that does not update the variable pointing to the memory. In short, an attacker can use this to point to an attacker-controlled memory location, leading to a wide array of issues.
The third vulnerability with a CVE number, CVE-2021-37976, has also been added to this sheet though it has a slightly lower severity than the previous two. The update blog describes this as an "information leak in core," which was "reported by Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero."
Beyond these discovered vulnerabilities, Google also does internal audits, fuzzing, and other security initiatives to fix issues, a few of which have been included in the update. However, as some of these vulnerabilities are being exploited in the wild, anyone using Chrome needs to ensure that their browser updates immediately. Further, if you want to know more about what is in this update, you can check out the full blog for additional details.