Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild.
"Google is aware that an exploit for CVE-2021-37973 exists in the wild," the browser vendor revealed in today's security advisory.
This Chrome update has started rolling out worldwide to the Stable desktop channel and will be available to all users over the following days and weeks.
The update was available immediately when BleepingComputer manually checked for new updates from Chrome menu > Help > About Google Chrome.
The web browser will also check for new updates and automatically update itself after the next launch.
Details regarding ongoing attacks not disclosed
The zero-day security flaw fixed today was reported the day the first Google Chrome 94 stable release was published, on September 21, by Clément Lecigne from Google TAG, with assistance from Sergei Glazunov and Mark Brand from Google Project Zero.
The bug, tracked as CVE-2021-37973, is a use after free weakness in Portals, Google's new web page navigation system for Chrome.
Successful exploitation of this vulnerability can let attackers execute arbitrary code on computers running unpatched Chrome versions.
Even though Google said it detected in the wild attacks abusing CVE-2021-37973, the company did not share additional info regarding these incidents.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," Google said.
"We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."
Chrome users should have enough time to install the security update to prevent exploitation attempts until more info is available.
Eleventh zero-day fixed this year
With this bug, Google has patched 11 zero-day vulnerabilities in the Chrome web browser since the start of 2021.
The other Chrome zero-day bugs Google fixed this year are:
- CVE-2021-21148 - February 4th, 2021
- CVE-2021-21166 - March 2nd, 2021
- CVE-2021-21193 - March 12th, 2021
- CVE-2021-21220 - April 13th, 2021
- CVE-2021-21224 - April 20th, 2021
- CVE-2021-30551 - June 9th, 2021
- CVE-2021-30554 - June 17th, 2021
- CVE-2021-30563 - July 15th, 2021
- CVE-2021-30632 and CVE-2021-30633 - September 13th
Because these security bugs are all known to have been abused by threat actors in the wild, installing all Google Chrome updates is strongly recommended as soon as they are available.
Comments
NoneRain - 2 years ago
How many "use after free" bugs are still left on the browser? See in the next BC post...