Google currently restricts information about hacks in order to make it easier for Chrome users to upgrade. This is a standard practice. We have only the following information:
- High – CVE-2021-37977 : Use after free in Garbage Collection. Report by Anonymous, 2021-09-24
- High CVE-2021-377978 : Blink buffer overflow. Reported by Yangkang, @dnpushme, of 360 ATA on 2021/08/04
- High CVE-20237979 : WebRTC buffer overflow. Report by Marcin Towalski, Cisco Talos, on 2021-09/07.
- High – – Inappropriate Implementation in Sandbox. Reported by Yonghwi Jin, @jinmo123, on 2021-09-30
These descriptions don’t offer much insight, but it’s interesting to see Chrome continue to be attacked with ‘Use After-Free’ ( UAF). In September, the browser was subject to double-digit UAF attacks. This month, hackers exploited a zero day UAF flaw in chrome.
It was less surprising to see a pair Heap buffer overload exploits listed. This is a memory vulnerability, also known as Heap Smashing. However, it is not a common avenue for Chrome hackers in recent months. The heap contains program data and is dynamically allocated. Critical data structures may be overwritten by an overflow making it a prime target for attackers.
Google responded by releasing a critical update. Google warns Chrome users that rollouts will be delayed so that not all will be protected immediately. To verify if you are safe, go to Settings >Help > About Google Chrome. You are safe if your Chrome version is at least 94.0.4606.81. You can still update your browser if the update is not available.
Remember the last step after you have updated Chrome: Chrome cannot be restarted until it is safe again. This makes it a two-way operation. Google can speed track fixes to Chrome hacks but users will not be protected if they do not restart their browsers after updating. Hackers count on this false sense of security. Go check your browser now.
First seen at: Forbes
Entireweb Articles – Read the latest Articles and News in Search Engine related world!