Now is not the time to panic. As with many other software applications that receive regular and continuous updates, Google’s Chrome browser is no stranger to security issues and vulnerabilities. That said, this is exactly why it is important to keep your software up to date at all times. Last week, Google released two incremental updates for Chrome 94 that included three known exploits confirmed in the wild. So before proceeding, you need to head over to Chrome’s settings menu and check for an update. The latest version of the desktop Chrome browser for Windows, Linux, and macOS is 94.0.4606.71. If you are not on that version, you will want to update as soon as possible.
Last week’s update contained a high-level vulnerability, while this week’s update contains four bug fixes. Google has confirmed that two of which have zero-day exploits in nature, meaning that someone has actively tried to attack a system using weak software. Below you can find the list of patches implemented in this release. The first one awarded the Codesafe team a $ 20,000 bug bounty for reporting the issue to the Chrome team.
- [$20000] High CVE-2021-37974: Use it later for free in Safe Browsing. Reported by Weipeng Jiang (@Krace) of Legendsec’s Codesafe Team at Qi’anxin Group on 2021-09-01
- [$TBD] High CVE-2021-37975: Use it later for free on V8. Reported by Anonymous on 2021-09-24
- [$NA] Half CVE-2021-37976: Information leak in the kernel. Reported by Clément Lecigne of Google TAG, with technical assistance from Sergei Glazunov and Mark Brand of Google Project Zero on 2021-09-21
-  Various fixes from internal audits, fuzzing and other initiatives
I won’t pretend to know exactly what all of the above means, but I did do some research on the high-level security holes mentioned in the bug reports. “Use after free” is a term used when memory is accessed for a specific purpose, but the software does not “look away” when it finishes using the resource. Putting it in terms you can understand. Let’s say you have a closet in your home that contains all of your personal information and everything that is of value to you. That door is locked at all times unless you use it. Now, you need your Social Security card. You go and unlock the door to get it back, but when you leave, you don’t close the door behind you. That open door can now be used by someone else for nefarious reasons, like stealing your prized collection of small spoons. That’s silly, but you understand what I’m throwing.
This puts Chrome at more than a dozen zero-day exploits by 2021. That’s a decent amount, but let’s remember, Chrome now updates on a four-week cycle and bugs like this are expected in software. That’s especially true when it comes to web browsers that are essentially the gateway to the entire Internet. Google is rushing to repair the holes and launch new releases to mitigate the danger. So, keep your browser up to date and practice safe browsing no matter where the web takes you. You can get more information about the update. here.