Google releases emergency Chrome update to fix two zero-day vulnerabilities

Posted by Author Diksha Ojha on Posted on

Google published urgent security updates for its Chrome browser on Thursday, including a pair of new security flaws that are being exploited in the wild. 

CVE-2021-37975 and CVE-2021-37976 are two of four fixes that address a use-after-free weakness in the V8 JavaScript and Web Assembly engines, as well as an information leak in the core. 

While this Chrome update addresses four security flaws, the two zero-day vulnerabilities are significant because they have been exploited in the wild. 

The first zero-day, CVE-2021-37976, was classified as an “Information leak in the core” with a medium severity rating.

The second zero-day, CVE-2021-37975, is a use-after-free flaw in the Chrome V8 JavaScript engine with high severity. V8 is a high-performance JavaScript and Web Assembly engine developed by Google for Chrome and Chromium-based browsers. Instead of utilizing an interpreter, it converts JavaScript code into more efficient machine code, which speeds up the web browser. Because the susceptible component isn’t exclusive to Google Chrome, the flaw likely affects other browsers as well. 

CVE-2021-37974, the second high-severity bug Google patched on Thursday, is another use-after-free flaw found in safe browsing. 

Since the beginning of the year, Google has fixed a total of 14 zero-day vulnerabilities in the web browser with the newest versions that are as follows: 

    • CVE-2021-21148 – February 4th, 2021 
    • CVE-2021-21166 – March 2nd, 2021 
    • CVE-2021-21193 – March 12th, 2021 
    • CVE-2021-21206 – April 13th, 2021 
    • CVE-2021-21220 – April 13th, 2021
    • CVE-2021-21224 – April 20th, 2021
    • CVE-2021-30551 – June 9th, 2021 
    • CVE-2021-30554 – June 17th, 2021

Affected products 
All the Google Chrome versions before 94.0.4606.71.

Mitigation 
Chrome has released its latest version. The 94.0.4606.71 version is available for Windows, Mac, and Linux. This update is introduced to address two zero-day vulnerabilities that have been exploited by attackers. But at the same time, CVE-2021-37975 and CVE-2021-37976 exist in the wild.

One can perform a manual update by going to Settings > Help > About Google Chrome.

Qualys Detection 
Qualys customers can scan their network with QID 375923 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.

References and Sources 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37974  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37975  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37976  
https://threatpost.com/google-emergency-update-chrome-zero-days/175266/ 
https://thehackernews.com/2021/09/update-google-chrome-asap-to-patch-2.html   
https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html 
https://www.bleepingcomputer.com/news/security/google-pushes-emergency-chrome-update-to-fix-two-zero-days/  

Leave a Reply

Your email address will not be published. Required fields are marked *