Chrome’s 2.6 billion users again need to be on high alert (for the fourth time this month). Google has confirmed multiple new High-level hacks of the browser, and they are an immediate threat.
Following confirmation of five serious vulnerabilities last week, Google has published a new blog post revealing a further seven ‘High’ rated vulnerabilities have now been found in Chrome. These include Chrome’s 14th and 15th ‘zero-day’ hacks this year and Linux, macOS and Windows users are all affected. Zero-day hacks are exploits which have reached hackers before Google could issue a fix, which puts all Chrome users in immediate danger.
Here’s everything you need to know and the action you must now take.
Chrome’s New Vulnerabilities
Sticking to policy, Google is restricting information about the new hacks to buy time for Chrome users to upgrade but the company does go on the record saying: “Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild.” Here is a full list of the new Chrome vulnerabilities:
- High – CVE-2021-37997 : Use after free in Sign-In. Reported by Wei Yuan of MoyunSec VLab on 2021-10-14
- High – CVE-2021-37998 : Use after free in Garbage Collection. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-13
- High – CVE-2021-37999 : Insufficient data validation in New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21
- High – CVE-2021-38000 : Insufficient validation of untrusted input in Intents. Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on 2021-09-15
- High – CVE-2021-38001 : Type Confusion in V8. Reported by Kunlun Lab via Tianfu Cup on 2021-10-16
- High – CVE-2021-38002 : Use after free in Web Transport. Reported by @__R0ng of 360 Alpha Lab, 漏洞研究院青训队 via Tianfu Cup on 2021-10-16
- High – CVE-2021-38003 : Inappropriate implementation in V8. Reported by Clément Lecigne from Google TAG and Samuel Groß from Google Project Zero on 2021-10-26
Yes, the specifics are missing but the pattern of hacks is familiar with ‘Use-After-Free’ (UAF) exploits again making up the majority of successful attacks. UAF exploits hit Chrome more than 10x last month and have been the source of zero-day hacks in October as well. UAF vulnerabilities are memory exploits, when a program fails to clear the pointer to the memory after it is freed.
What You Need To Do
Google has released a critical Chrome update to combat these attacks, version 95.0.4638.69. Be warned, Google states that the rollout of this update will be staggered and “roll out over the coming days/weeks”. This means you may not be able to protect yourself immediately.
To check if you are protected, navigate to Settings > Help > About Google Chrome. If your Chrome browser matches 95.0.4638.69 or higher, you are safe. If the update is not yet available for your browser, make sure you check regularly for the new version.
And remember, after you update there is one crucial final step: restart your browser. Even if you have updated, Chrome will not be protected until you restart it. It is to Google’s credit that fixes for high level attacks are typically released within days of their discovery, but their effectiveness still relies upon billions of users restarting their browsers.
Furthermore, attacks on Chrome are growing. In July, Google revealed there had already been more zero day exploits of browsers than in the whole of 2020. This means it is now vital to keep Chrome up-to-date at all times. Go check it now.
Follow Gordon on Facebook
More On Forbes
Google Reveals 5 New ‘High’ Rated Vulnerabilities In Chrome
Google Critics Explain Why You Should Quit Chrome