Particularly notable is the fact that these have been confirmed as critical ‘zero days‘. There may be a pattern taking place in the industry because exploited vulnerabilities have also recently been affecting products from other big corporations like Dell and Apple.
The Exploited Vulnerabilities
On September 30th, 2021 Google Chrome releases released information about another batch of multiple critical security vulnerabilities within Google’s Chrome browser. Of these, two have been confirmed as being exploited in the wild. The two vulnerabilities being exploited both benefit a remote attacker’s attempts to gain sensitive information on a vulnerable (unpatched) system, as well as potentially allow the attacker to completely compromise a vulnerable system.
Technical Details
The exploited software vulnerability CVE ID codes are; CVE-2021-37975 and CVE-2021-37976. 37975 is a Use-after-free vulnerability type that allows a remote attacker to create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system. On the other hand, 37976 allows a remote attacker to gain access to potentially sensitive information. This weakness exists due to an excessive data output flaw in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page and gain access to sensitive information. Google’s own security researchers (from Google TAG and Google Project Zero), as well as an anonymous researcher, have contributed to reporting these software vulnerabilities.
Vulnerable Software Versions
Google Chrome: 7.0.517.41, 7.0.517.44, 70.0.3538.67, 70.0.3538.77, 70.0.3538.102, 70.0.3538.110, 71.0.3578.80, 71.0.3578.98, 72.0.3626.81, 72.0.3626.96, 72.0.3626.109, 72.0.3626.119, 72.0.3626.121, 73.0.3683.75, 73.0.3683.86, 73.0.3683.103, 74.0.3729.108, 74.0.3729.131, 74.0.3729.157, 74.0.3729.169, 75.0.3770.80, 75.0.3770.90, 75.0.3770.100, 75.0.3770.142, 76.0.3809.87, 76.0.3809.100, 76.0.3809.132, 77.0.3865.75, 77.0.3865.90, 77.0.3865.120, 78.0.3904.70, 78.0.3904.87, 78.0.3904.97, 78.0.3904.108, 79.0.3945.79, 79.0.3945.88, 79.0.3945.117, 79.0.3945.130, 80.0.3987.87, 80.0.3987.100, 80.0.3987.106, 80.0.3987.116, 80.0.3987.122, 80.0.3987.132, 80.0.3987.149, 80.0.3987.162, 80.0.3987.163, 81.0.4044.92, 81.0.4044.113, 81.0.4044.122, 81.0.4044.129, 81.0.4044.138, 83.0.4103.61, 83.0.4103.97, 83.0.4103.106, 83.0.4103.116, 84.0.4147.89, 84.0.4147.105, 84.0.4147.125, 84.0.4147.135, 85.0.4183.83, 85.0.4183.102, 85.0.4183.121, 86.0.4240.75, 86.0.4240.111, 86.0.4240.183, 86.0.4240.193, 86.0.4240.198, 87.0.4280.66, 87.0.4280.88, 87.0.4280.141, 88.0.4324.96, 88.0.4324.104, 88.0.4324.146, 88.0.4324.150, 88.0.4324.182, 88.0.4324.190, 89.0.4389.72, 89.0.4389.82, 89.0.4389.90, 89.0.4389.114, 89.0.4389.128, 90.0.4430.72, 90.0.4430.85, 90.0.4430.93, 90.0.4430.212, 91.0.4472.77, 91.0.4472.101, 91.0.4472.106, 91.0.4472.114, 91.0.4472.124, 91.0.4472.164, 92.0.4515.107, 92.0.4515.131, 92.0.4515.159, 93.0.4577.63, 93.0.4577.82, 94.0.4606.54, 94.0.4606.61
Important User Information
User must update their Google Chrome web browser immediately to the updated ‘Stable Channel Update for Desktop’ version; 94.0.4606.71. According to Google’s release report, “Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.” Google is keeping in-depth technical and full exploit details silent for the time being. Note: ThreatPost has also reported that one of the vulnerabilities, CVE-2021-37975, contains a component (the V8 JavaScript Engine) that is used by other web browsers, “Since this vulnerable component isn’t specific to Google Chrome, it’s a good bet that other browsers are affected by the bug as well.”