[BreachExchange] Google releases emergency fix to plug zero‑day hole in Chrome

Tue Sep 28 08:34:17 EDT 2021

https://www.welivesecurity.com/2021/09/27/google-releases-emergency-fix-plug-zero-day-hole-chrome/

Google has released an emergency update for its Chrome web browser to fix a
zero-day vulnerability that is known to be actively exploited in the wild
by malicious actors. The security loophole affects the Windows, macOS, and
Linux versions of the popular browser.

“Google is aware that an exploit for CVE-2021-37973 exists in the wild,”
Google revealed about the newly disclosed zero-day vulnerability. The bug
classified as high in severity is a use-after-free flaw in the Portals Web
API, Google’s web page navigation component of the Chromium browser engine

Clément Lecigne of Google’s Threat Analysis Group (TAG) was credited with
the discovery of the vulnerability on September 21st, with technical
assistance provided by two of his colleagues from Google Project Zero
Sergei Glazunov and Mark Brand.

The vulnerability was so severe that it necessitated its own official
update for the Chrome browser. The release is especially notable,
considering that it was rolled out mere days after Google pushed out a
stable version of Chrome that fixed another 19 bugs. It took Google’s team
just three days to release a fix after they were notified by Lecigne and
his colleagues about the flaw being actively exploited in the wild.

The United States’ Cybersecurity and Infrastructure Security Agency (CISA)
also took note of the release and issued a security advisory urging both
users and system administrators to update their browsers. “Google has
released Chrome version 94.0.4606.61 for Windows, Mac, and Linux. This
version addresses a vulnerability—CVE-2021-37973—that an attacker could
exploit to take control of an affected system. An exploit for this
vulnerability exists in the wild,” said the agency.

Considering the timing and severity of the disclosed vulnerability, you
would do well to update your browser to the latest version (94.0.4606.61)
as soon as possible. If you have automatic updates enabled, the browser
should be able to update to the newest available version on its own.

However, if you haven’t enabled the function yet, you can also update your
browser manually by visiting the About Google Chrome section, which can be
found under Help in the menu bar.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210928/6b72fb44/attachment.html>