Google Fixes Two New Zero-Day Bugs in Chrome

Google just fixed two more zero-day vulnerabilities a new update for the regular, stable release of their Chrome browser. The exploits have been exploited in the wild, just like the previous couple of vulnerabilities that the company fixed in the browser.

The new version number for the latest bugfix of the Chrome platform, as released on the stable version channel, is 94.0.4606.71. The update is available on all major desktop platforms that run Chrome, including Windows, Linux and Mac.

Google also released an official statement, informing the public that the development team is aware of the fact that the two most recently patched vulnerabilities have already been exploited in the wild. The CVE designators for the two bugs are respectively CVE-2021-37975 and CVE-2021-37976. Fixes for both of those were included in the 4606.71 patch release.

There is no complete information surrounding the specifics of the two vulnerabilities, as Google wants to make sure everyone has received the patch through Chrome's auto updater. The official statement from Google highlighted that "access to bug details and links may be kept restricted" until the patch has been completely deployed worldwide.

As of the time of this writing, our system has already received the patch, so it's safe to assume that it will be rolled out and available to everyone within a few more hours, at worst.

What is known about the two vulnerabilities is that CVE-2021-37976 is rated as a medium severity bug according to CVE standards and involves an "information leak in core". The other vulnerability is described as a bug in the browser's V8 JS engine. Unlike the 37976 vulnerability, the JavaScript one is classified as high severity.

The JS engine bug is also described as a 'user-after-free' vulnerability - a term used for issues that allow a threat actor to hack into a program which has freed up a chunk of memory but has not cleared the pointed associated with that chunk.

October 1, 2021