Google pushes Chrome’s emergency update to fix two zero days

Google released Chrome 94.0.4606.71 for Windows, Mac, and Linux, to fix two zero-day vulnerabilities that have been exploited by attackers.

“Google is aware that exploits for CVE-2021-37975 and CVE-2021-37976 exist in nature,” Google revealed in the list of security patches fixed in today’s Google Chrome release.

Google has started rolling out Chrome 94.0.4606.71 for users worldwide in the Stable Desktop channel and is expected to be available to all users in the coming days.

To install the update immediately, Google Chrome users can go to Chrome menu > To help > About Google Chrome, and the browser will start to update.

In our testing, the new browser version was installed immediately by following the steps above.

Google Chrome will also check for available updates and install them the next time you launch the web browser.

Details of zero-day attacks are not disclosed

While this version of Chrome includes fixes for four security vulnerabilities, both zero days are of concern as they are known to have been exploited in the wild.

The first zero-day, followed as CVE-2021-37976, is described as an “information leak in the heart” and has been assigned a medium severity level. This vulnerability was discovered by Clément Lecigne of Google TAG, with technical assistance from Sergei Glazunov and Mark Brand of Google Project Zero, on September 21, 2021.

The second day zero, followed as CVE-2021-37975, is a high severity user after a free bug in the Chrome V8 JavaScript engine. The researcher revealed this vulnerability on September 24 and wished to remain anonymous.

For use after free bugs are commonly used to execute code remotely or to escape the browser security sandbox.

At this time, there are no further details on how these zero-day vulnerabilities were used in the attacks, but could be published in future reports by Google TAG or Project Zero.

2 additional days corrected by Chrome:
* CVE-2021-37975 use-after-free in V8 by anonymous
* CVE-2021-37976 information leak in kernel by @ _clem1 # itw0days

The release cycle that Chrome is putting in place in order to release these fixes is pretty impressive https://t.co/j1xPY4zjlP

– Maddie Stone (@maddiestone) September 30, 2021

Chrome users need to manually upgrade or restart their browser to install the latest version and prevent exploitation attempts.

Thirteenth zero-day set this year

With these two fixes, Google fixed 13 zero-day vulnerabilities in the Chrome web browser since the start of 2021.

Other zero-day Chrome bugs fixed by Google this year are:

As Google rushes to Chrome updates to fix zero days as they are reported, it’s still essential to install new browser updates as soon as they become available.