Security News > 2021 > September > Google Emergency Update Fixes Two Chrome Zero Days
Google has pushed out an emergency Chrome update to fix yet another pair of zero days - the second pair this month - that are being exploited in the wild.
On Thursday evening, the web Goliath released the Chrome 94.0.4606.71 stable channel release for Windows, Mac and Linux to fix the two zero-days, which were included in an update with a total of four security fixes.
"Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild," Google disclosed with the release of the browser fixes.
Just as it did with the pair of zero days that were being exploited in the wild earlier this month, Google is keeping technical details close to the vest, at least until most users have had a chance to plug in the update.
The earlier pair of zero days Google addressed this month in a Sept. 13 update, CVE-2021-30632 and CVE-2021-30633, were likewise being actively exploited in the wild.
If an attacker has managed to get the memory address, the actor "Can gain access to the free memory list, and insert malicious software into free memory," Nayyar continued.
News URL
https://threatpost.com/google-emergency-update-chrome-zero-days/175266/
Related news
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- Google: 70% of exploited flaws disclosed in 2023 were zero-days (source)
- Google to let businesses create curated Chrome Web Stores for extensions (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- New tool bypasses Google Chrome’s new cookie encryption system (source)
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-10-08 | CVE-2021-37976 | Missing Authorization vulnerability in multiple products Inappropriate implementation in Memory in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. | 6.5 |
| 2021-10-08 | CVE-2021-37975 | Use After Free vulnerability in multiple products Use after free in V8 in Google Chrome prior to 94.0.4606.71 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2021-10-08 | CVE-2021-30633 | Use After Free vulnerability in multiple products Use after free in Indexed DB API in Google Chrome prior to 93.0.4577.82 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. | 9.6 |
| 2021-10-08 | CVE-2021-30632 | Out-of-bounds Write vulnerability in multiple products Out of bounds write in V8 in Google Chrome prior to 93.0.4577.82 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |