On Friday, Google came out with an emergency security fix for its Chrome web browser to address a security issue exploited in the wild.
The vulnerability, which is assigned the number CVE-2021-37973, has been classified as a use-after-free flaw in the Portals API.
Portals API is a web page navigation technology that allows one page to show another page as an inset and “conduct a smooth transition to a new state, where the previously-inset page becomes the top-level document.”
Clément Lecigne from Google Threat Analysis Group (TAG) was the first one to report this flaw, with technical assistance from Sergei Glazunov and Mark Brand from Google Project Zero. In the account of active exploits and to let most users apply the fix, more details about the vulnerability haven’t been revealed, but Google stated that it is “well-aware of an attack for CVE-2021-37973 existing in the wild.”
The upgrade comes only one day after Apple patched a widely exploited security flaw in earlier versions of macOS and iOS (CVE-2021-30869), which the TAG described as “used in combination with an N-day remote code execution targeting WebKit.”
Since the beginning of 2021, Google has patched a total of 12 zero-day vulnerabilities in Chrome. Here is the complete list of the flaws addressed:
- CVE-2021-21148
- CVE-2021-21166
- CVE-2021-21193
- CVE-2021-21206
- CVE-2021-21220
- CVE-2021-21224
- CVE-2021-30551
- CVE-2021-30554
- CVE-2021-30563
- CVE-2021-30632
- CVE-2021-30633
To reduce the risk associated with the vulnerability, Chrome users should upgrade to the current version (94.0.4606.61) for Mac, Windows, and Linux by going to Settings > Help > ‘About Google Chrome.’
However, no technical details are available at this time, as Google notes in its security update:
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.”