Google released an emergency update for its Chrome web browser on Thursday. According to the company, this update includes fixes for two zero-day vulnerabilities (CVE-2021-38000 and CVE-2021-38003) that are being actively exploited in the wild. The new 95.0.4638.69 version is available for Windows, Mac, and Linux and addresses seven vulnerabilities, including these two zero-days.
“Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,” Google stated in today’s list of security fixes.
While Google warns that the latest version may take some time to reach everyone, Chrome 95.0.4638.69 has already begun rolling out to users in the Stable Desktop channel around the world.
Description
The first zero-day, CVE-2021-38000, was awarded a high– severity level due to “insufficient validation of untrusted input in Intents.”
The second zero-day (CVE-2021-38003) is a high-severity “Inappropriate implementation” problem in the Chrome V8 JavaScript engine, which is tagged as CVE-2021-38003.
The other five other vulnerabilities addressed in this update are:
- CVE-2021-37997: Use after free in Sign-In.
- CVE-2021-37998: Use after free in Garbage Collection.
- CVE-2021-37999: Insufficient data validation in New Tab Page.
- CVE-2021-38001: Type Confusion in V8.
- CVE-2021-38002: Use after free in Web Transport.
15th Zero-day in a year in the same product would create havoc like a situation for the vendor. Again, the latest ones are exploited in the wild as well. There is no public information regarding the PoC yet.
The other 13 zero-days are:
- CVE-2021-21148 – February 4th, 2021
- CVE-2021-21166 – March 2nd, 2021
- CVE-2021-21193 – March 12th, 2021
- CVE-2021-21220 – April 13th, 2021
- CVE-2021-21224 – April 20th, 2021
- CVE-2021-30551 – June 9th, 2021
- CVE-2021-30554 – June 17th, 2021
- CVE-2021-30563 – July 15th, 2021
- CVE-2021-30632 and CVE-2021-30633 – September 13th
- CVE-2021-37973 – September 24th, 2021
- CVE-2021-37976 and CVE-2021-37975 – September 30th, 2021
Affected versions
All the Google Chrome versions before 95.0.4638.69 are affected by these vulnerabilities.
Mitigation
Customers are advised to update to the Chrome version 95.0.4638.69. For more information, refer to Chrome Security Page.
You can perform a manual update by going from Settings > Help > About Google Chrome.
Qualys Detection
Qualys customers can scan their devices with QID 376000 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://thehackernews.com/2021/10/google-releases-urgent-chrome-update-to.html
https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html
https://www.bleepingcomputer.com/news/google/emergency-google-chrome-update-fixes-zero-days-used-in-attacks/