Google Launches Emergency Chrome Update to fix two Zero-days

Google Launches Emergency Chrome Update to fix two Zero-days

Google has recently released Chrome 94.0.4606.71 for Windows, Mac, and Linux, to fix zero-day vulnerabilities that have been exploited by threat actors.

“Google is aware of the exploits for CVE-2021-37975 and CVE-2021-37976 exists in the world wide,” Google revealed in the list of security fixes in recent Google Chrome updates. Google has initiated launching out the Chrome 94.0.46.6.71 to users across the world in the Stable Desktop channel and should be available to all the users within the upcoming days.

To install the update instantly, Google Chrome users can navigate the Chrome menu > Help > About Google Chrome, and the browser will start installing the update. In the analysis, the advanced version of the browser was installed instantly using the above procedure.

Google-Launches-Emergency-Chrome-Update-to-fix-two-Zero-days-image1

Google Chrome will also check for available updates and install them the next time you start the web browser.

Zero-day Attacks’ details not revealed

While this Chrome update includes fixes for four security vulnerabilities, the two zero-days are concerning as they are known to have been exploited worldwide. The first zero-day, tracked as CVE-2021-37976, is characterized as an “Information leak in essence” and was authorized at a Medium severity level. The vulnerability was detected by Clement Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero, on September 24th and wished to remain unsigned.

Uses after free flaws are generally used to execute remote code execution or liberate the browser’s security sandbox. At this time, there is no other information regarding how these zero-day vulnerabilities were utilized in attacks but may be updated in future reports by Google TAG or Project Zero.

Chrome users should perform a manual upgrade or restart their browsers to install the latest versions and avoid exploitation attempts.

Google-Launches-Emergency-Chrome-Update-to-fix-two-Zero-days-image2

Number of Zero-day Fixed this Year

With these two fixes, Google has patched 13 zero-day vulnerabilities in the Chrome web browser since the start of 2021.

The other Chrome zero-day bugs Google fixed this year are:

  • CVE-2021-21148 – February 4th, 2021
  • CVE-2021-21166 – March 2nd, 2021
  • CVE-2021-21193 – March 12th, 2021
  • CVE-2021-21220 – April 13th, 2021
  • CVE-2021-21224 – April 20th, 2021
  • CVE-2021-30551 – June 9th, 2021
  • CVE-2021-30554 – June 17th, 2021
  • CVE-2021-30563 – July 15th, 2021
  • CVE-2021-30632 and CVE-2021-30633 – September 13th
  • CVE-2021-37973 – September 24th, 2021

As Google is rolling out Chrome updates to fix zero-days as they are reported, it is always critical to install new browser updates as soon as they become available.             

Leave a Reply