On Thursday, Google rolled out urgent security updates for its Chrome browser, including two new security flaws that the firm claims are being abused in the wild, making them the company’s fourth and fifth active zero-days this month.
As expected, the IT giant has withheld any more information on how these zero-day vulnerabilities were exploited in attacks until most users have been patched. However, the company informed that “CVE-2021-37975 and CVE-2021-37976 exploits exist in the wild.”
CVE-2021-37975 was discovered by an anonymous researcher, whereas the credit for finding CVE-2021-37976 goes to Clément Lecigne from Google Threat Analysis Group. He was earlier accredited for CVE-2021-37973, another extensively exploited use-after-free vulnerability in Chrome’s Portal API that was disclosed last week.
Since the beginning of 2021, Google has fixed a total of 14 zero-day vulnerabilities in its web browser. Two are mentioned above, and here is a list of the remaining twelve flaws:
Chrome users on Windows, Mac, and Linux should upgrade to the current version (94.0.4606.71). They can head to Settings > Help > “About Google Chrome” to avoid any potential danger of active exploitation.
Google noted that access to technical details is restricted until a majority of users are updated with a fix.
“We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google noted.