It’s time to update Chrome and once again, for the third month in a row, Google has fixed two previously unknown ‘zero-day’ bugs in the world’s most popular desktop browser.
Google disclosed that it had patched the two high-severity zero-day flaws in release notes for the stable release of Chrome version 95.0.4638.69 for Windows, Mac and Linux. Any version number higher than that will have the fixes.
It’s a good idea to check out Google’s support page for Chrome updates, which explains how Chrome can be set to automatically update when patches become available. Otherwise, Chrome has an ‘Update’ button that is coloured red if an update is at least a week old, indicating that it should be installed.
The two zero-day flaws — which are being exploited by attackers now — are being tracked with the identifiers CVE-2021-38000 and CVE-2021-38003. Both were found by Google’s Threat Analysis Group (TAG), which tracks state-sponsored and cyber-criminal exploit activity.
The second of the two zero-days was also reported by Samuel Groß from Google Project Zero on 26 October, indicating how fast Google is responding to zero-day discoveries.
CVE-2021-38000 is a design flaw due to “insufficient validation of untrusted input in Intents”. It was reported by TAG on September 15.
“Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,” Google said in release notes. The update will roll out over the coming days or weeks, according to Google.
There are eight, mostly memory-related, security fixes in this Chrome update. The currently listed high-severity flaws include a use-after-free in Sign-in, another use-after-free in Chrome’s garbage collection, insufficient data validation in Chrome’s New Tab page, a type confusion in V8, and a use-after-free in Web Transport.
This Chrome release marks the 14th zero-day flaw Google has patched in Chrome this year. The 10th was in mid-September when it patched two zero-days. It patched two more zero-days at the end of September and a further two on Thursday.
Google hasn’t attributed the exploits to any hacking group.
That Google has patched an unusually high number of zero-day flaws in Chrome in 2021 could be interpreted in several ways. The more that get discovered and the quicker they’re fixed via updates is good for end-users. Once patched, the exploit is less valuable. This could mean defenders are getting better at spotting zero-days.
On the other hand, Google Project Zero has seen an uptick in zero-days affecting major platforms like Chrome, Windows, and iOS in the past year. The reason for that could be the commercialisation of the zero-day exploit market, providing a shortcut to the acquisition of exploits that otherwise require skills to develop.