You may have heard it before: Google has patched the desktop version of Chrome to fix two "zero-day" flaws that have already been exploited by hackers, as well as two other vulnerabilities. To stay safe, you should update not only Chrome, but also the associated browsers.
To update Chrome to the latest version 94.0.4606.71 on Windows or Mac, it is often sufficient to close and restart the browser. If not, click on the three vertical dots in the upper right corner of the browser window, scroll down to "Help," and click "About Google Chrome" from the menu that appears.
A new tab will open and check to see if you have the latest version. If it is not the latest version, Chrome will download the latest version and prompt you to restart.
On Linux, you often have to wait for the next bundled update of the distribution. As for other browsers based on the same open source Chromium, as of this writing, neither Microsoft Edge, Opera, Brave, nor Vivaldi have been updated to 94.0.4606.71 or its equivalent.
As usual, the Chrome team has not stated who is exploiting these vulnerabilities against whom, only that Google "knows" that exploits of the two zero-day flaws "exist in the wild." (This adjective refers to the fact that defenders have zero days to prepare before an exploit is exploited.)
The first zero-day flaw, cataloged as CVE-2021-37975, involves a "use after free" bug in V8, Chrome's JavaScript parser. This means that another potentially malicious application could occupy space on the computer's memory chip immediately after V8 finishes using memory and hijack system processes before the OS can reallocate a chunk of memory.
The flaw was discovered by an anonymous researcher.
The second zero-day, CVE-2021-37976, concerns an "information leak in the core." I'm not sure what "core" refers to, since there are ten different "cores". This flaw appears to be less serious than the others, and its discovery is attributed to Clément Lecigne of Google's Threat Analysis Group and Sergei Glazunov and Mark Brand of the Google Project Zero team.
The third flaw fixed in this update is related to a non-zero-day but use-after-free bug, this time ironically Chrome's Safe Browsing feature. Google has not yet disclosed the fourth flaw.
According to an online spreadsheet that tracks such things, this is the 47th and 48th zero-day flaw found in Chrome this year. One zero-day patch was applied to Chrome just last week.
The timeline of Chrome's desktop stable-channel updates over the past three months is as follows.
Comments