Please report any level of incident, no matter how small. The Information
Security office will evaluate the report and provide a full investigation if appropriate.
More Chrome Zero-Day flaws: CVE-2021-37975 & 37976
Date
More Zero-Day flaws in the Chrome web browser for Windows, Macintosh, and Linux computers
More zero-day flaws have been found in the Chrome web browser used on Windows, Macintosh, and Linux computers. The flaws (CVE-2021-37975 and CVE-2021-37976) are a high and medium severity flaw (respectively) on the CVSS vulnerability-rating scale. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the system or obtain sensitive information.
Google has released an emergency Chrome fix to address these two zero-day vulnerabilities (version 94.0.4606.71). Most Chrome browser will auto-updated and the update requires the browser to be restarted.
Considering the disclosed vulnerabilities, you should update your Chrome browser to the latest version (at least 94.0.4606.71) as soon as possible. This update addresses these two security flaws.
Double-check your Chrome Browser is up-to-date
Chrome will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.
In Chrome, click on Settings then About Chrome
If an update is available, Chrome will show that here and then start the download process. When it's completed, it will ask to relaunch the browser to complete the update.
If the browser is up-to-date, it will say "Google Chrome is up to date" and list the version number. Make sure it's at least 89.0.4389.128
Additional Details
One vulnerability (CVE-2021-37975) could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in V8. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
The other vulnerability (CVE-2021-37976) could allow a remote attacker to obtain sensitive information, caused by an information leak in core. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
(References: https://www.bleepingcomputer.com/news/security/google-pushes-emergency-chrome-update-to-fix-two-zero-days/, https://cert.civis.net/en/index.php?action=alert¶m=CVE-2021-37975 and https://cert.civis.net/en/index.php?action=alert¶m=CVE-2021-37976 ).
Please see the Chrome Security Page and the Chrome Releases webpages for more information.