Now is not the time to panic. As with many other software applications that receive ongoing, regular updates, Google’s Chrome browser is no stranger to security issues and vulnerabilities. That said, this is exactly why it is important to keep your software up to date at all times. In the past week, Google has rolled out two incremental updates to Chrome 94 that included three known exploits confirmed in the wild. So, before we go any further, you should head to the Chrome settings menu and check for an update. The latest version of the desktop Chrome browser for Windows, Linux, and macOS is 94.0.4606.71. If you aren’t on that version, you’ll want to update as soon as possible.
Last week’s update contained one high-level vulnerability while this week’s update contains four bug fixes. Two of which have been confirmed by Google as having zero-day exploits in the wild which means that someone has actively attempted to attack a system using the weakness in the software. Below you can find the list of patches rolled out in this version. The first of which netted the Codesafe Team a bug bounty of $20,000 for reporting the issue to the Chrome team.
- [$20000][1245578] High CVE-2021-37974 : Use after free in Safe Browsing. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2021-09-01
- [$TBD][1252918] High CVE-2021-37975 : Use after free in V8. Reported by Anonymous on 2021-09-24
- [$NA][1251787] Medium CVE-2021-37976 : Information leak in core. Reported by Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21
- [1254756] Various fixes from internal audits, fuzzing and other initiatives
I won’t pretend to know exactly what all of the above means but I did do a little research on the high-level security holes mentioned in the bug reports. “Use after free” is a term used when memory is accessed for a specific purpose but the software does not “look away” when finished using the resource. Putting it into terms that I can understand. Let’s say you have a closet in your house that contains all of your personal information and everything that is of value to you. That door is locked at all times unless in use by you. Now, you need your Social Security card. You go and unlock the door to retrieve it but when you leave, you do not lock the door behind you. That unlocked door can now be used by someone else for nefarious reasons like stealing your prized tiny spoon collection. That’s dumbing it down but you catch what I’m throwing.
This puts Chrome at more than a dozen zero-day exploits for 2021. That’s a decent amount but let’s remember, Chrome now updates on a four-week cycle and bugs like this are to be expected in software. That is especially true when we’re talking about web browsers that are essentially the doorway to the entire internet. Google is quick to patch the holes and push out new releases to mitigate the danger. So, keep your browser up to date and practice safe browsing regardless of where the web takes you. You can learn more about the update here.