Google Patches Actively Exploited Zero-Day Security Flaw In Chrome, Update ASAP
If you employ Google's Chrome browser on your desktop, be aware there's an update available that patches up a handful of security flaws, including a zero-day vulnerability that is being actively exploited in the wild. As such, it's a tremendously good idea to manually update Chrome rather than waiting for an automatic roll-out.
That particular vulnerability is being tracked as CVE-2021-4102 with a 'High' rated threat level. The specific details of the bug are "Reserved," meaning they are not yet available to disseminate by the general public. That's fairly common, as Google wants to ensure that Chrome users are properly patched and protected before serving up details that hackers could otherwise use to nefarious advantage.
"Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild," Google stated in a security advisory. "We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel."
There are three other High-rated security holes and one that is Critical. Here they are as outlined in the security advisory, along with their bug bounty award amounts (where applicable)...
- [$NA][1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26
- [$5000][1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16
- [$5000][1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19
- [$TBD][1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair on 2021-10-21
- [$TBD][1278387] High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09
As to CVE-2021-4102, while fine-grain details are not available, Google does at least divulge that it is a "Use after free in V8" bug, which is Chrome's JavaScript engine. It's essentially a flaw within the browser's user of dynamic memory, and generally speaking these exploits can lead to crashes, corrupted data, and arbitrary code execution.
To initial a manual update in Chrome, click the three vertical dots in the upper-right corner and navigate to Help > About Google Chrome. The latest version at the time of this writing is 96.0.4464.110.
