Google released an emergency security patch for the Chrome Browser which is affected by Active Zero-Day Vulnerability exploited in the wild.
The urgent security update is rolled out worldwide to desktop operating systems Windows, Mac and Linux.
The vulnerability is designated with CVE-2021-37973 with a rating high and named as “Use After Free”. It is described as a referencing memory after it has been freed that can cause a program to crash, use unexpected values, or execute code.
Vulnerability found in Google’s Portal feature of Chrome Browser:
The vulnerability in the Chrome browser occurred in the Portal API, which is a web navigation system that is designed to streamlining the transitions between web pages. This feature is similar to iframe where they allow for embedding, but this Portal comes with an additional feature that navigates to their content.
Due to Use-After-Free (UAF) weakness in Portals which enables the flaw related to incorrect use of dynamic memory during the functioning of the program. Utilizing the previously freed memory can also result in corruption of valid data due to the confusion over which part of the program is responsible for freeing the memory.
Once, this vulnerability is successfully exploited, depending on the installation and timing of the flaw, cyber attackers can able to execute arbitrary code on the systems and corrupt data.
Official Response of Google on Zero-Day Vulnerability in Chrome Browser:
Google released a security advisory report against CVE-2021-37973 and addresses that they are aware of this security vulnerability which is exploited in the wild. But additional information regarding wild exploitation didn’t disclose by the company.
They have given credit to the Clément Lecigne from Google Threat Analysis Group (TAG) for reporting the vulnerability and Sergei Glazunov and Mark Brand from Google Project Zero who contributed as technical assistance for the report.
Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Google Spokesperson
Here is the official security advisory report on chrome vulnerability: Stable Channel Update for Desktop
Recommendations for the Zero-Day Vulnerability in the Chrome Browser:
Google recommended updating the latest version (94.0.4606.61) of the Chrome browser in Windows, Linux and Mac. This update mitigates the zero-day vulnerability that is exploited actively in the wild.
They also advised to upgrade the versions of Chrome immediately as the flaw is actively exploited in the wild but it is not clear yet that other browsers based on Chromium are also affected or not.
- To check for new updates open Google Chrome and navigate to Menu > Settings > About Chrome.
- Chrome will automatically check for the latest versions and update it after the next launch.
- Or else, users can also run a manual check for the latest update.
Conclusion:
Including this latest fix, Google has patched a total of 12 zero-day vulnerabilities in the Chrome browser since the start of 2021. Out of it, most of them are given a high severity rating as they are actively exploited in the wild by the threat actors and Google strongly recommended installing the updates as soon as they are available.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.