Chrome users, all 2.65 billion of you, need to be on high alert (for the third time this month) because Google has confirmed multiple new High-level hacks of the browser.
Following confirmation of four serious vulnerabilities less than two weeks ago, Google has published a new blog post revealing a further five ‘High’ rated vulnerabilities have been found in Chrome as well as 11 other flaws. Here’s everything you need to know and the action you must now take.
Chrome’s New Vulnerabilities
As is standard practice, Google is currently restricting information about the new hacks to buy time for Chrome users to upgrade. As a result, this is all the company is sharing about the High rated threats at present:
- High – CVE-2021-37981 : Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-09-04
- High – CVE-2021-37982 : Use after free in Incognito. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2021-09-11
- High – CVE-2021-37983 : Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-09-15
- High – CVE-2021-37984 : Heap buffer overflow in PDFium. Reported by Antti Levomäki, Joonas Pihlaja and Christian Jalio from Forcepoint on 2021-09-27
- High – CVE-2021-37985 : Use after free in V8. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-20
While specifics are missing, the new threats continue a pattern seen in recent months. ‘Use-After-Free’ (UAF) exploits hit Chrome more than 10x last month, a zero-day UAF flaw was exposed this month and another three High rated attacks (six in total) make up the latest vulnerabilities. UAF vulnerabilities are memory exploits, when a program fails to clear the pointer to the memory after it is freed.
The other trend here is the rise of Heap buffer overflow exploits. After staying off the radar for some time, Heap buffer exploits were responsible for several High level threats earlier this month. Now another two Heap buffer attacks have breached the browser’s security. Also known as ‘Heap Smashing’, memory on the heap is dynamically allocated and typically contains program data. With an overflow, critical data structures can be overwritten which makes it an ideal target for attacks.
What You Need To Do
To combat these threats, Google has released a critical Chrome update, version 95.0.4638.54. To check if you are protected, navigate to Settings > Help > About Google Chrome. If your Chrome version matches this version number or higher, you are safe. Be warned, Google states that the rollout of 95.0.4638.54 will be staggered so you may not be able to protect yourself immediately. If the update is not yet available for your browser, make sure you check regularly for the new version.
And when you can update, be sure to remember the critical last step: restart your browser. Even if you have updated, you will not be safe until you restart. This knowledge gap is something hackers like to exploit, especially as Google — for all its fast work patching Chrome threats — has given no indication this critical step can be eliminated in the near future.
Be sure to educate friends and family about this, but first check your browser and protect yourself.
Follow Gordon on Facebook
More On Forbes
Google Confirms Chrome’s 12th & 13th Zero-Day Hacks In 2021
Google Critics Explain Why You Should Quit Chrome