Chrome users beware, just days after I warned attacks on Google’s browser are increasing, another critical hack has been confirmed.
Google published the news in a new blog post, where it revealed Chrome’s 11th ‘zero day’ exploit of the year has been found (CVE-2021-37973) and it affects Linux, macOS and Windows users. A zero-day classification means hackers have been able to exploit the flaw before Google could release a fix, which makes it significantly more dangerous than most security flaws. Google confirmed this saying it “is aware that an exploit for CVE-2021-37973 exists in the wild”.
In an attempt to protect users and buy them time to upgrade, Google is keeping the details surrounding CVE-2021-37973 a closely guarded secret. All the company would provide were its threat ranking, what part of Chrome had been exploited and that it was discovered in-house by Google employees:
High — CVE-2021-37973 : Use after free in Portals. Reported by Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21
Interestingly, the new zero-day is yet another ‘Use-After-Free’ (UAF) vulnerability. As I noted just three days ago, this has been a fruitful avenue for hackers in recent months. In September alone, 10 UAF High rated vulnerabilities were found in Chrome. UAF vulnerabilities are memory exploits, when a program fails to clear the pointer to the memory after it is freed.
In response, Google has released a critical fix. The company warns all Chrome users will get it at the same time, but to check if you are protected navigate to Settings > Help > About Google Chrome. If your Chrome version is 94.0.4606.61 or higher, you are safe. If the update is not yet available for your browser, keep checking regularly for the new version.
When you are able to update, remember Chrome must be restarted for the fix to take effect. Chrome is now used by over 2.65 billion users worldwide making it a huge target for hackers and, while Google is doing its part to counter attacks, they can find easy prey among users who fail to complete that crucial final step. Don’t be one of them.