You may have heard it before: Google has patched the desktop version of Chrome to fix two "zero-day" flaws that have already been exploited by hackers, as well as two other vulnerabilities To stay safe, you should update not only Chrome, but also the associated browsers
To update Chrome to the latest version 940460671 on Windows or Mac, it is often sufficient to close and restart the browser If not, click on the three vertical dots in the upper right corner of the browser window, scroll down to "Help," and click "About Google Chrome" from the menu that appears
A new tab will open and check to see if you have the latest version If it is not the latest version, Chrome will download the latest version and prompt you to restart
On Linux, you often have to wait for the next bundled update of the distribution As for other browsers based on the same open source Chromium, as of this writing, neither Microsoft Edge, Opera, Brave, nor Vivaldi have been updated to 940460671 or its equivalent
As usual, the Chrome team has not stated who is exploiting these vulnerabilities against whom, only that Google "knows" that exploits of the two zero-day flaws "exist in the wild" (This adjective refers to the fact that defenders have zero days to prepare before an exploit is exploited)
The first zero-day flaw, cataloged as CVE-2021-37975, involves a "use after free" bug in V8, Chrome's JavaScript parser This means that another potentially malicious application could occupy space on the computer's memory chip immediately after V8 finishes using memory and hijack system processes before the OS can reallocate a chunk of memory
The flaw was discovered by an anonymous researcher
The second zero-day, CVE-2021-37976, concerns an "information leak in the core" I'm not sure what "core" refers to, since there are ten different "cores" This flaw appears to be less serious than the others, and its discovery is attributed to Clément Lecigne of Google's Threat Analysis Group and Sergei Glazunov and Mark Brand of the Google Project Zero team
The third flaw fixed in this update is related to a non-zero-day but use-after-free bug, this time ironically Chrome's Safe Browsing feature Google has not yet disclosed the fourth flaw
According to an online spreadsheet that tracks such things, this is the 47th and 48th zero-day flaw found in Chrome this year One zero-day patch was applied to Chrome just last week
The timeline of Chrome's desktop stable-channel updates over the past three months is as follows
Comments