Google Pushes Emergency Chrome Update to Fix Zero-day Used in Attacks
Google has released Chrome 96.0.4664.110 for Windows, Mac, and Linux, to address a high-severity zero-day vulnerability exploited in the wild.
“Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild,” the browser vendor said in today’s security advisory.
Although the company says this update may take some time to reach all users, the update has already begun rolling out Chrome 96.0.4664.110 worldwide in the Stable Desktop channel.
The update was available immediately when BleepingComputer checked for new updates from Chrome menu > Help > About Google Chrome. The browser will also auto-check for recent updates and update itself automatically after the next launch.
Zero-day exploitation details not revealed
Attackers commonly exploit use after free bugs to execute arbitrary code on computers running unpatched Chrome versions or escape the browser’s security sandbox.
While Google said it detected in the wild attacks abusing this zero-day, it did not share additional info regarding these incidents.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” Google added.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”
Until the browser vendor releases additional details regarding this bug’s in the wild exploitation, users should have enough time to upgrade Chrome and prevent exploitation attempts.
Sixteenth Chome zero-day fixed this year
With this update, Google has addressed 16 Chrome zero-day vulnerabilities since the start of the year.
The other 15 zero-days patched in 2021 are listed below:
- CVE-2021-21148 – February 4th
- CVE-2021-21166 – March 2nd
- CVE-2021-21193 – March 12th
- CVE-2021-21220 – April 13th
- CVE-2021-21224 – April 20th
- CVE-2021-30551 – June 9th
- CVE-2021-30554 – June 17th
- CVE-2021-30563 – July 15th
- CVE-2021-30632 and CVE-2021-30633 – September 13th
- CVE-2021-37973 – September 24th
- CVE-2021-37976 and CVE-2021-37975 – September 30th
- CVE-2021-38000 and CVE-2021-38003 – October 28th
Because this zero-day is known to have been used by attackers in the wild, installing today’s Google Chrome update is strongly recommended as soon as it’s available.