Google has released an urgent security patch for its Chrome Browser to fix a new pair of Active Zero-Day Vulnerabilities exploited by the attackers in the wild.
The emergency security update was issued to desktops running operating systems Windows, Mac and Linux.
These two zero-day flaws’ security update was released just 5 days after they issued a similar kind of fix for active zero-day vulnerability (CVE-2021-37973) found in Google’s Portal feature of Chrome Browser.
Here is the article – Urgent Patch for Active Zero-Day Vulnerability in Portal API of Google Chrome
Including this, Google has patched the fourth and fifth active zero-day fixes last month alone and 14 vulnerabilities in the year 2021.
In-Depth Analysis of Two Active Zero-Day Vulnerabilities in Google Chrome:
These vulnerabilities are assigned with CVE-2021-37975 and CVE-2021-37976 with a rating high and medium respectively.
The first one, a zero-day flaw designated as CVE-2021-37975 rated with high severity level for the issue “Use After Free” in the Chrome V8 JavaScript and Web Assembly engine.
Use-after-free is described as a referencing memory after it has been freed that can cause a program to crash, use unexpected values, or execute code.
Chrome V8 is Google’s open-source high-performance JavaScript and Web Assembly engine. It is used to increase speed of the browser by translating JavaScript code into ECMAScript instead of using an interpreter.
The second one, designated with CVE-2021-37976 rated as medium severity level and described as “information leak in core”. For this flaw, Google didn’t reveal much information about it and just gave credit to the cybersecurity researchers for reporting it.
In addition to this, Google also included a security patch in this update for CVE-2021-37974, which is another use-after-free vulnerability in the Safe Browsing.
Official Response of Google on Two Zero-Days Vulnerabilities in Chrome Browser:
Google issued a security advisory report against both zero-days vulnerabilities and states that they are aware of exploits for CVE-2021-37975 and CVE-2021-37976 and are actively exists.
But Google remained silent for sharing any additional technical information about how attackers exploited these two zero-day vulnerabilities, at least until a maximum of users are updated with the security patches.
In the security advisory report, Google credited the anonymous researcher for reporting CVE-2021-37975 and Clément Lecigne from Google Threat Analysis Group (TAG) for discovering the CVE-2021-37976 with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero.
Also, acknowledged to Weipeng Jiang from Codesafe Team of Legendsec at Qi’anxin Group for reporting CVE-2021-37974.
Here is the official security advisory report on two zero-days chrome vulnerabilities: Stable Channel Update for Desktop
Recommendations for the Zero-Day Vulnerability in the Chrome Browser:
Google advised updating Google Chrome to the latest version (94.0.4606.71) in Windows, Linux and Mac operating systems. This update mitigates the two zero-day vulnerabilities that are exploited actively in the wild.
They also advised to upgrade the versions of Chrome as soon as possible as the vulnerability is actively exploited.
- To check for new updates open Google Chrome and navigate to Menu > Settings > About Chrome.
- Chrome will automatically check for the latest versions and update it after the next launch.
- Or else, users can also run a manual check for the latest update.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.