Chrome users be warned, the attacks on Chrome continue to intensify and Google has now confirmed two more critical hacks.
In a new blog post, Google reveals that Chrome’s 12th and 13th ‘zero day’ exploits of the year have been found (CVE-2021-37975 and CVE-2021-37976) and they affect Linux, macOS and Windows users. Zero-day hacks are critical because it means they are known to hackers before Google could release a fix. This places Chrome users in immediate danger. Google repeats this stating it “is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.”
As is protocol, Google is restricting information about both hacks to buy time for Chrome users to upgrade. The only details the company has revealed are below, along with a further ‘High’ rated threat:
- High — CVE-2021-37974 : Use after free in Safe Browsing. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi’anxin Group on 2021-09-01
- High — CVE-2021-37975 : Use after free in V8. Reported by Anonymous on 2021-09-24
- Medium — CVE-2021-37976 : Information leak in core. Reported by Clément Lecigne from Google TAG, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero on 2021-09-21
Notably, the first zero-day attack is a ‘Use-After-Free’ (UAF) vulnerability, which has been targeted repeatedly by hackers over the last few months. Double-digit UAF attacks were recorded on Chrome in September and October looks set to go the same way. UAF vulnerabilities are memory exploits, when a program fails to clear the pointer to the memory after it is freed.
To combat this, Google has released a critical update. The company does warn Chrome users that the rollout will be staggered, so not everyone will be able to protect themselves immediately. To check if you are protected navigate to Settings > Help > About Google Chrome. If your Chrome version is 94.0.4606.71 or higher, you are safe. If the update is not yet available for your browser, check regularly for the new version.
And remember the crucial final step. Even after updating, Chrome is not safe until it is restarted. Google is fast to patch Chrome hacks, but hackers find rich pickings from Chrome users who don’t realize they are still vulnerable after the update installs. Go check your browser now.
Follow Gordon on Facebook
More On Forbes
Google Confirms 11th Chrome Zero-Day Attack, Releases Urgent Fix
Google Confirms 5 New ‘High’ Level Security Flaws In Chrome