Photo of Google Chrome on Desktop

Software vulnerabilities are one of the most worrying technical issues big-name vendors can face, translating into risks for users and brand reputation damage. This especially resonates when a software vulnerability has been confirmed as being publicly exploited. In the not-so-distant past, IT and software leaders Apple and Google have both faced several issues resulting from security flaws due to weaknesses in software coding -particularly when it comes to web browsers.

The term exploited refers to when a software bug is being taken advantage of for malicious purposes, like when remote code execution is used to target vulnerable systems -which is the case for this particular Chrome vulnerability.

Google Chrome’s Track Record

Google Chrome’s track record, objectively speaking, is not too pretty both in terms of outright cybersecurity and user data privacy. Namely, a steady flow of browser code vulnerabilities, data confidentiality issues, even problems extending to extensions stealing crypto wallet keys have been noted in the past.

About The Exploited Google Chrome Vulnerability

A software vulnerability report was posted on Google’s proprietary Chrome security blog ‘Chrome Releases’ on September 24th, 2021. The report details a remote code execution security risk within Google’s Chrome browser. The vulnerability, named CVE-2021-37973 in the public CVE database is classified as a critical risk.

Technical Details

This vulnerability was categorized as a use-after-free type. The vulnerability allows a remote attacker to compromise a vulnerable (unpatched) system. The vulnerability exists due to a use-after-free error when processing HTML content within the Portals component in Google Chrome. A remote attacker can create a specially crafted website, trick the victim into visiting it, trigger a use-after-free error and execute arbitrary code on the system. Successful exploitation of the vulnerability may allow an attacker to compromise an unpatched system.

Vulnerable Software Versions

The versions of Google Chrome that are currently vulnerable to this security issue are;

Google Chrome; 7.0.517.41, 7.0.517.44, 70.0.3538.67, 70.0.3538.77, 70.0.3538.102, 70.0.3538.110, 71.0.3578.80, 71.0.3578.98, 72.0.3626.81, 72.0.3626.96, 72.0.3626.109, 72.0.3626.119, 72.0.3626.121, 73.0.3683.75, 73.0.3683.86, 73.0.3683.103, 74.0.3729.108, 74.0.3729.131, 74.0.3729.157, 74.0.3729.169, 75.0.3770.80, 75.0.3770.90, 75.0.3770.100, 75.0.3770.142, 76.0.3809.87, 76.0.3809.100, 76.0.3809.132, 77.0.3865.75, 77.0.3865.90, 77.0.3865.120, 78.0.3904.70, 78.0.3904.87, 78.0.3904.97, 78.0.3904.108, 79.0.3945.79, 79.0.3945.88, 79.0.3945.117, 79.0.3945.130, 80.0.3987.87, 80.0.3987.100, 80.0.3987.106, 80.0.3987.116, 80.0.3987.122, 80.0.3987.132, 80.0.3987.149, 80.0.3987.162, 80.0.3987.163, 81.0.4044.92, 81.0.4044.113, 81.0.4044.122, 81.0.4044.129, 81.0.4044.138, 83.0.4103.61, 83.0.4103.97, 83.0.4103.106, 83.0.4103.116, 84.0.4147.89, 84.0.4147.105, 84.0.4147.125, 84.0.4147.135, 85.0.4183.83, 85.0.4183.102, 85.0.4183.121, 86.0.4240.75, 86.0.4240.111, 86.0.4240.183, 86.0.4240.193, 86.0.4240.198, 87.0.4280.66, 87.0.4280.88, 87.0.4280.141, 88.0.4324.96, 88.0.4324.104, 88.0.4324.146, 88.0.4324.150, 88.0.4324.182, 88.0.4324.190, 89.0.4389.72, 89.0.4389.82, 89.0.4389.90, 89.0.4389.114, 89.0.4389.128, 90.0.4430.72, 90.0.4430.85, 90.0.4430.93, 90.0.4430.212, 91.0.4472.77, 91.0.4472.101, 91.0.4472.106, 91.0.4472.114, 91.0.4472.124, 91.0.4472.164, 92.0.4515.107, 92.0.4515.131, 92.0.4515.159, 93.0.4577.63, 93.0.4577.82

Important Informations For Users

Chrome users need to know that a patch has been released that mitigates the issue. This software vulnerability is being actively exploited in the wild, which means that users should immediately update their Google Chrome release so that the continued safety and stability of the browser are possible.

Official information from Google about the fixed release states that “The Stable channel has been updated to 94.0.4606.61 for Windows, Mac, and Linux which will roll out over the coming days/weeks.” Users must ensure that automatic updates are enabled on both their operating system as well as the Google Chrome app itself. Alternatively, users can pick up the latest, fixed release of Google Chrome here. A full log describing all the changes in the software update can be found on this page.

Leave a comment