Google’s issues emergency updates to resolve vulnerabilities


Image Courtesy: Sunday Vision

Google has issued an emergency Chrome update to address yet another pair of zero days that are being exploited in the wild — the second pair this month. This brings the total number of zero days detected in the browser this year to a dozen.

On Thursday evening, the web Goliath published Chrome 94.0.4606.71 stable channel version for Windows, Mac, and Linux to address the two zero-day vulnerabilities, which were part of a four-security-fix update.

“Google is aware that vulnerabilities for CVE-2021-37975 and CVE-2021-37976 exist in the wild,” Google said in a statement accompanying the release of the browser updates.

Google, like it did with the pair of zero days that were being exploited in the open early last month, is keeping technical specifics under wraps, at least until the majority of users have had a chance to install the update. Chrome 94.0.4606.71 has begun to be distributed to users globally via the Stable Desktop channel, and it should be accessible to all users over the next few days.

Here are the specifics for the two zero-days:

  • CVE-2021-37976 is classified as a “core information leak” with a Medium severity rating. Google’s Threat Analysis Group’s (TAG) Clément Lecigne identified it and reported it last Tuesday, Sept. 21. Sergei Glazunov and Mark Brand from Google Project Zero deserve credit for their technological help as well.
  • CVE-2021-37975 is a vulnerability in the V8 JavaScript engine that causes a user-after-free issue. It’s one of two high-severity vulnerabilities in Thursday’s update, as reported by an anonymous source on Sunday, Sept. 26. V8 is an open-source, high-performance JavaScript and WebAssembly engine developed by Google for Chrome and Chromium-based browsers. Instead of deploying an interpreter, it converts JavaScript code into more efficient machine code, which speeds up the web browser. Because this susceptible component isn’t exclusive to Google Chrome, it’s safe to assume that the problem affects other browsers as well.

Use-after-free vulnerabilities may lead to a wide range of attacks, from the corruption of legitimate data to the execution of arbitrary code. Gurucul CEO Saryu Nayyar classified these issues as among the year’s most serious software vulnerabilities in his article for Threatpost’s InfoSec Insider series.