More Zero-Day flaws in the Chrome web browser for Windows, Macintosh, and Linux computers
More zero-day flaws have been found in the Chrome web browser used on Windows, Macintosh, and Linux computers. The flaws (CVE-2021-37975 and CVE-2021-37976) are a high and medium severity flaw (respectively) on the CVSS vulnerability-rating scale. Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code on the system or obtain sensitive information.
Google has released an emergency Chrome fix to address these two zero-day vulnerabilities (version 94.0.4606.71). Most Chrome browser will auto-updated and the update requires the browser to be restarted.
Considering the disclosed vulnerabilities, you should update your Chrome browser to the latest version (at least 94.0.4606.71) as soon as possible. This update addresses these two security flaws.
Double-check your Chrome Browser is up-to-date
Chrome will in many cases update to its newest version automatically.
However, we recommend you double-check if the update has been applied.
In Chrome, click on Settings then About Chrome
If an update is available, Chrome will show that here and then start the download process. When it's completed, it will ask to relaunch the browser to complete the update.
If the browser is up-to-date, it will say "Google Chrome is up to date" and list the version number. Make sure it's at least 89.0.4389.128
One vulnerability (CVE-2021-37975) could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free in V8. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system.
The other vulnerability (CVE-2021-37976) could allow a remote attacker to obtain sensitive information, caused by an information leak in core. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to obtain sensitive information.
(References: https://www.bleepingcomputer.com/news/security/google-pushes-emergency-chrome-update-to-fix-two-zero-days/, https://cert.civis.net/en/index.php?action=alert¶m=CVE-2021-37975 and https://cert.civis.net/en/index.php?action=alert¶m=CVE-2021-37976 ).