Google’s Chrome Browser Is Under Active Attack, Patch Now
Published on Thursday, the stable channel update for Google Chrome, denoted by version number 94.0.4606.71, has quite a few fixes or changes. However, the four security fixes are front and center, the first of which being CVE-2021-37974 reported by Weipeng Jiang from the Codesafe Team of Legendsec at Qi'anxin Group.
This vulnerability is a "use after free" issue, meaning problems stem from using dynamic memory allocation and deallocation that does not update the variable pointing to the memory. In short, an attacker can use this to point to an attacker-controlled memory location, leading to a wide array of issues.
Following this is another "use after free" problem, but this one lies within Google's problematic V8 JavaScript engine. This issue, denoted as CVE-2021-37975, was discovered by an anonymous researcher who reported it to Google. This one is of particular interest as it has been added to Google's "0day In The Wild" spreadsheet, which tracks actively exploited vulnerabilities.
The third vulnerability with a CVE number, CVE-2021-37976, has also been added to this sheet though it has a slightly lower severity than the previous two. The update blog describes this as an "information leak in core," which was "reported by Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero."
Beyond these discovered vulnerabilities, Google also does internal audits, fuzzing, and other security initiatives to fix issues, a few of which have been included in the update. However, as some of these vulnerabilities are being exploited in the wild, anyone using Chrome needs to ensure that their browser updates immediately. Further, if you want to know more about what is in this update, you can check out the full blog for additional details.