Google patches Two More Chrome Zero Day Vulnerabilities
Google has an emergency Chrome update to fix a pair of zero days that are being exploited. Google released the Chrome 94.0.4606.71 stable channel release for Windows, Mac and Linux to fix the two zero-days, which were included in an update with a total of four security fixes. There have been 12 zero days found in Chrome this year. Like earlier this month, Google isn't releasing the details until most users have a chance to update. The company started pushing out Chrome 94.0.4606.71 to users worldwide in the Stable Desktop channel, and it should be available to all users.
The flaws that were patched are both due to a user-after-free bug in the V8 JavaScript engine. V8 is Google's open-source, high-performance JavaScript and WebAssembly engine for Chrome and Chromium-based browsers. It translates JavaScript code into a more efficient machine code instead of using an interpreter, which speeds up the web browser. Since this vulnerable component isn't specific to Google Chrome, other browsers based on Chromium may also be affected. Use-after-free issues can result in any number of attack types, ranging from the corruption of valid data to the execution of arbitrary code.
Security researcher Saryu Nayyar describes these flaws as one of the most dangerous software weaknesses. According to Nayyar, use-after-free vulnerabilities entail memory manipulation. When an application needs memory for a variable, it either programmatically allocates that memory, or the underlying platform (JVM or .NET Runtime), when the application is done with that memory, either it or the platform returns it to the free memory list. If a hacker manages to get the memory address, they can gain access to the free memory list, and insert malicious software into free memory. The next time that memory is allocated, it is allocated with a payload that can cause harm. Further, the memory isn't wiped clean when it is returned to the free memory list, enabling hackers the ability to read the contents of that memory.
As Google is rushing out Chrome updates to fix zero-days as they are reported, it is always critical to install new browser updates as soon as they become available. The US Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory urging both users and system administrators to update their browsers. Normally, Chrome updates in the background when it is closed and reopened. However, if it has not been closed for a while, there might be pending updates. To check for pending updates, you can click More (Three vertical dots) on the top right of the Chrome browser.