Loading table of contents...
On 30 September 2021, Google released Chrome 94.0.4606.71 for Windows, Mac, and Linux, to address four security issues. Among them are two currently exploited vulnerabilities. We recommend updating to the latest version of Chrome as soon as possible.
Details
- The latest Chrome version fixes two vulnerabilities that are being leveraged by threat actors.
- The first flaw, tracked as CVE-2021-37975, is a use-after-free flaw in V8, an open-source JavaScript engine developed by the Chromium Project for Google Chrome and other Chromium-based web browsers. The vulnerability was assigned a High-severity rating. If a user visits a malicious website, a remote threat actor could execute arbitrary code or cause a denial of service on the affected system. CVSS v3.1: 8.8.
- The second, tracked as CVE-2021-37976, is a Medium-severity issue described as an "information leak in core". A remote threat actor, able to convince the victim to visit a malicious website, would be able to use this flaw to obtain sensitive information from the affected browser. CVSS v3.1: 6.5.
- This new version is being deployed worldwide and will become available to users with auto-updates enabled over the next few days. Changes will have to be applied manually if the automatic updates are not enabled.
Recommendations
- We recommend that Windows, Mac, and Linux desktop users manually upgrade now to the latest Chrome version by going to Settings -> Help -> About Google Chrome.
- The Google Chrome web browser will then automatically check for the new update and install it if available.
- We recommend notifying users of this risk and requesting that they restart their browser to ensure the needed security patches are applied.
- If software is managed centrally within your organization, we recommend updating this software as soon as possible.
References