Google pushed an emergency Chrome update this week to fix a severe zero-day vulnerability that has been exploited in the wild.
The patched zero-day, tracked as CVE-2021-4102, was reported by an anonymous researcher on the 9th of December, but little else is known about it. Google Chrome’s Stable and Extended Stable channels were then updated to 96.0.4664.110 for Windows, Mac, and Linux users.
The update is expected to roll out over the next few days or weeks but could take some time to reach every browser, Google announced. However, the update seems to be rolling out already.
Chrome performs regular checks for recent updates and applies them automatically upon re-launching the browser. However, users can also apply this update manually via the About Google Chrome section that can be found in the browser’s Help menu.
Aside from the zero-day vulnerability, Google Chrome’s latest update includes another four security fixes, also contributed by external researchers.
[$NA]Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26
[$5000]High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16
[$5000]High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19
[$TBD]High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair on 2021-10-21
[$TBD]High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09
Despite detecting in-the-wild exploits targeting the CVE-2021-4102 zero-day vulnerability, Google shared no additional details of the attacks.
The company added that it may restrict access to bug details and links until most users update their Chrome web browsers with a fix. Access to these details may remain restricted if the bug is detected in third-party libraries of other projects that didn’t get the chance to patch it.