Google published urgent security updates for its Chrome browser on Thursday, including a pair of new security flaws that are being exploited in the wild.
CVE-2021-37975 and CVE-2021-37976 are two of four fixes that address a use-after-free weakness in the V8 JavaScript and Web Assembly engines, as well as an information leak in the core.
While this Chrome update addresses four security flaws, the two zero-day vulnerabilities are significant because they have been exploited in the wild.
The first zero-day, CVE-2021-37976, was classified as an “Information leak in the core” with a medium severity rating.
The second zero-day, CVE-2021-37975, is a use-after-free flaw in the Chrome V8 JavaScript engine with high severity. V8 is a high-performance JavaScript and Web Assembly engine developed by Google for Chrome and Chromium-based browsers. Instead of utilizing an interpreter, it converts JavaScript code into more efficient machine code, which speeds up the web browser. Because the susceptible component isn’t exclusive to Google Chrome, the flaw likely affects other browsers as well.
CVE-2021-37974, the second high-severity bug Google patched on Thursday, is another use-after-free flaw found in safe browsing.
Since the beginning of the year, Google has fixed a total of 14 zero-day vulnerabilities in the web browser with the newest versions that are as follows:
-
- CVE-2021-21148 – February 4th, 2021
- CVE-2021-21166 – March 2nd, 2021
- CVE-2021-21193 – March 12th, 2021
- CVE-2021-21206 – April 13th, 2021
- CVE-2021-21220 – April 13th, 2021
- CVE-2021-21224 – April 20th, 2021
- CVE-2021-30551 – June 9th, 2021
- CVE-2021-30554 – June 17th, 2021
Affected products
All the Google Chrome versions before 94.0.4606.71.
Mitigation
Chrome has released its latest version. The 94.0.4606.71 version is available for Windows, Mac, and Linux. This update is introduced to address two zero-day vulnerabilities that have been exploited by attackers. But at the same time, CVE-2021-37975 and CVE-2021-37976 exist in the wild.
One can perform a manual update by going to Settings > Help > About Google Chrome.
Qualys Detection
Qualys customers can scan their network with QID 375923 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References and Sources
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37974
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37976
https://threatpost.com/google-emergency-update-chrome-zero-days/175266/
https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html
https://www.bleepingcomputer.com/news/security/google-pushes-emergency-chrome-update-to-fix-two-zero-days/