Chrome 96.0.4664.110 for Windows, Linux, and Mac has been issued to fix a high-severity zero-day flaw that has been exploited in the wild. In the latest security advisory, Google stated that it is aware of allegations that a CVE-2021-4102 vulnerability exists in the wild. Although Google says it will take some time for this update to reach all users, it has already started rolling out Chrome 96.0.4664.110 on the Stable Desktop channel throughout the world.
“Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild. We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL,” the alert reads.
The CVE-2021-4102 zero-day issue was disclosed by an unknown security researcher and is a use after free flaw in the Chrome V8 JavaScript engine. Attackers frequently use after free weaknesses to run arbitrary code or bypass the browser’s security sandbox on PCs running unpatched Chrome versions. While Google stated that it had observed attacks using this zero-day in the wild, it did not provide any more information.
Google said, “Access to bug details and links may be kept restricted until a majority of users are updated with a fix.”
“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.” Users should have ample time to upgrade Chrome and avoid exploitation attempts until the browser vendor discloses further information on the bug’s in-the-wild exploitation.
Since the starting of 2021, Google has patched 16 Chrome zero-day vulnerabilities. Because attackers have been employed to build this zero-day in the wild, downloading the newest Google Chrome update is strongly advised as soon as it becomes available.
