Overview
Google has announced a new update to patch 4 new vulnerabilities that exist in Chrome browser. Chrome for Windows, Mac and Linux should be updated immediately, as two of these vulnerabilities are zero-days (CVE-2021-37975, CVE-2021-37976) that are actively exploited in the wild.
Description
Google has released a new version (94.0.4606.71) for Chrome for Windows, Mac and Linux to patch for a total of 4 security vulnerabilities. So far, Google has disclosed limited information, such as CVE identifiers and vulnerability types, for only 3 of the vulnerabilities that have been reported by external security researchers. 2 of the publicly disclosed vulnerabilities have “High” severity rating, while the other vulnerability has been rated as “Medium” in severity. For the remaining 1 vulnerability that has been discovered in-house, no information has been shared yet.
Google also announced that two of these vulnerabilities (CVE-2021-37975, CVE-2021-37976) are zero-days and actively exploited in the wild.
Further details on the disclosed vulnerabilities are as follows:
- CVE-2021-37974: Use After Free in Safe Browsing. Severity: High
- CVE-2021-37975: Use After Free in V8. Severity: High (Zero-Day)
- CVE-2021-37976: Information Leak in Core. Severity: Medium (Zero-Day)
Google additionally shared the names of the tools for detecting these vulnerabilities. Following are a list of the tools used by Google for bug discovery:
Impact
An attacker who successfully exploits the CVE-2021-37975 by causing memory corruption (Use After Free) in V8 via a crafted HTML page could remotely execute arbitrary code and gain full control of the system.
Impact Summary CVE-2021-37975
Category: Use After Free
CVSS 3.1 Base Score: 8.8 High
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
An attacker who successfully exploits the CVE-2021-37976 by taking advantage of inappropriate implementation in Memory could remotely obtain sensitive information from process memory via a crafted HTML page.
Impact Summary CVE-2021-37976
Category: Information Disclosure
CVSS 3.1 Base Score: 6.5 Medium
CVSS 3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Solution (Update)
To defend against possible attacks due to these vulnerabilities, Google Chrome needs to be updated to the stable version 94.0.4606.71.
Normally, Chrome updates in the background when it is closed and reopened. However, if it has not been closed for a while, there might be pending updates. To check for pending updates, you can click More (Three vertical dots) on the top right of the Chrome browser.
As the world is increasingly interconnected, everyone shares the responsibility of securing cyberspace.
Newton Lee
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
References to Advisories, Solutions and Tools
- Google Chrome Releases Blog (Stable Channel Update for Desktop)
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
