On 13 September 2021, Google released Chrome 93.0.4577.82 for Windows, Mac, and Linux to fix 11 security vulnerabilities. We recommend updating to the latest version of Chrome as soon as possible.
Details
- The latest Chrome version fixes two high-severity vulnerabilities being leveraged by threat actors.
- One flaw, tracked as CVE-2021-30632, causes a boundary error when processing untrusted HTML content in V8.
- V8 is an open-source JavaScript engine developed by the Chromium Project for Google Chrome and other Chromium-based web browsers, including Brave, Opera, Vivaldi and Microsoft Edge. V8 is also integrated into various independent projects; among them are Couchbase database server, Node.js runtime environment, and Electron desktop application framework. This flaw was also fixed in Microsoft Edge. Other V8-based browsers may be vulnerable.
- The second issue, tracked as CVE-2021-30633, is a memory corruption bug that exists due to a use-after-free (UAF) error within the Indexed DB API component in Google Chrome.
- Successful exploitation of these flaws requires a user running unpatched Chrome versions to visit a web page specially crafted by a threat actor. This would enable the actor to trigger remote code execution, denial of service or security restriction bypass on vulnerable system.
- The new version has started rolling out worldwide and will become available to all users over the next few days.
Recommendations
- Windows, Mac, and Linux desktop users can manually upgrade to the latest Chrome version by going to Settings -> Help -> About Google Chrome.
- The Google Chrome web browser will then automatically check for the new update and install it if available.
- We recommend notifying users of this risk and requesting that they restart their browser to ensure the needed security patches are applied.
- If software is managed centrally within your organization, we recommend updating this software as soon as possible.
References