Software Vulnerabilities Within Google Chrome Have Been Exploited

Photo of The Reflection of a Google Page on a Human Eye

Google’s Chrome web browser seems to be on a roll these past few days. The latest news confirms that software vulnerabilities woes related to Google’s Chrome browser continue. This is now the second batch of Google software vulnerabilities in a row within a week that have included exploited software weaknesses. According to cybersecurity portal ThreatPost, “This hoists this year’s total number of zero days found in the browser up to a dozen.”

Particularly notable is the fact that these have been confirmed as critical ‘zero days‘. There may be a pattern taking place in the industry because exploited vulnerabilities have also recently been affecting products from other big corporations like Dell and Apple.

The Exploited Vulnerabilities

On September 30th, 2021 Google Chrome releases released information about another batch of multiple critical security vulnerabilities within Google’s Chrome browser. Of these, two have been confirmed as being exploited in the wild. The two vulnerabilities being exploited both benefit a remote attacker’s attempts to gain sensitive information on a vulnerable (unpatched) system, as well as potentially allow the attacker to completely compromise a vulnerable system.

Technical Details

The exploited software vulnerability CVE ID codes are; CVE-2021-37975 and CVE-2021-37976. 37975 is a Use-after-free vulnerability type that allows a remote attacker to create a specially crafted web page, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the target system. On the other hand, 37976 allows a remote attacker to gain access to potentially sensitive information. This weakness exists due to an excessive data output flaw in Google Chrome. A remote attacker can trick the victim to open a specially crafted web page and gain access to sensitive information. Google’s own security researchers (from Google TAG and Google Project Zero), as well as an anonymous researcher, have contributed to reporting these software vulnerabilities.

Vulnerable Software Versions

Google Chrome: 7.0.517.41, 7.0.517.44, 70.0.3538.67, 70.0.3538.77, 70.0.3538.102, 70.0.3538.110,  71.0.3578.80, 71.0.3578.98, 72.0.3626.81, 72.0.3626.96, 72.0.3626.109, 72.0.3626.119, 72.0.3626.121, 73.0.3683.75, 73.0.3683.86, 73.0.3683.103, 74.0.3729.108, 74.0.3729.131, 74.0.3729.157, 74.0.3729.169, 75.0.3770.80, 75.0.3770.90, 75.0.3770.100, 75.0.3770.142, 76.0.3809.87, 76.0.3809.100, 76.0.3809.132, 77.0.3865.75, 77.0.3865.90, 77.0.3865.120, 78.0.3904.70, 78.0.3904.87, 78.0.3904.97, 78.0.3904.108, 79.0.3945.79, 79.0.3945.88, 79.0.3945.117, 79.0.3945.130, 80.0.3987.87, 80.0.3987.100, 80.0.3987.106, 80.0.3987.116, 80.0.3987.122, 80.0.3987.132, 80.0.3987.149, 80.0.3987.162, 80.0.3987.163, 81.0.4044.92, 81.0.4044.113, 81.0.4044.122, 81.0.4044.129, 81.0.4044.138, 83.0.4103.61, 83.0.4103.97, 83.0.4103.106, 83.0.4103.116, 84.0.4147.89, 84.0.4147.105, 84.0.4147.125, 84.0.4147.135, 85.0.4183.83, 85.0.4183.102, 85.0.4183.121, 86.0.4240.75, 86.0.4240.111, 86.0.4240.183, 86.0.4240.193, 86.0.4240.198, 87.0.4280.66, 87.0.4280.88, 87.0.4280.141, 88.0.4324.96, 88.0.4324.104, 88.0.4324.146, 88.0.4324.150, 88.0.4324.182, 88.0.4324.190, 89.0.4389.72, 89.0.4389.82, 89.0.4389.90, 89.0.4389.114, 89.0.4389.128, 90.0.4430.72, 90.0.4430.85, 90.0.4430.93, 90.0.4430.212, 91.0.4472.77, 91.0.4472.101, 91.0.4472.106, 91.0.4472.114, 91.0.4472.124, 91.0.4472.164, 92.0.4515.107, 92.0.4515.131, 92.0.4515.159, 93.0.4577.63, 93.0.4577.82, 94.0.4606.54, 94.0.4606.61

Important User Information

User must update their Google Chrome web browser immediately to the updated ‘Stable Channel Update for Desktop’ version; 94.0.4606.71According to Google’s release report, “Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild.” Google is keeping in-depth technical and full exploit details silent for the time being.

Note: ThreatPost has also reported that one of the vulnerabilities, CVE-2021-37975, contains a component (the V8 JavaScript Engine) that is used by other web browsers, “Since this vulnerable component isn’t specific to Google Chrome, it’s a good bet that other browsers are affected by the bug as well.”

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.