Google urgently released Chrome update patches for Windows, Mac and Linux to fix two zero-day vulnerabilities exploited by attackers.
Google has begun to roll out Chrome 94.0.4606.71 to users around the world in the stable channel, and it should be rolled out to all users in the next few days. It stated in the update announcement that the vulnerabilities CVE-2021-37975 and CVE-2021-37976 have been fixed. This version update contains a total of four security fixes, but the two vulnerabilities CVE-2021-37975 and CVE-2021-37976 are the most serious because they have been widely exploited.
Vulnerability CVE-2021-37975 is a high-severity "use after free" vulnerability in the Chrome V8 JavaScript engine. Researchers disclosed this vulnerability on September 24 and hope to remain anonymous. Vulnerability CVE-2021-37976, described as "core information leakage", and designated as a medium severity level. The vulnerability was discovered by Clément Lecigne of Google TAG on September 21, 2021 with the technical assistance of Sergei Glazunov and Mark Brand of Google Project Zero.
Finally, Google said that Chrome users should perform a manual upgrade or restart the browser to install the latest version, and will not disclose the details of the vulnerability until the update is complete for most users.
谷歌紧急发布了适用于 Windows、Mac 和 Linux 的 Chrome 更新补丁,以修复被攻击者利用的两个零日漏洞。
Google 已开始在稳定版频道中向全球用户推出 Chrome 94.0.4606.71,并且应该会在未来几天内向所有用户推出。其在更新公告中表示已经修复漏洞 CVE-2021-37975 和 CVE-2021-37976 。此次版本更新共包含四个安全修复程序,不过 CVE-2021-37975 和 CVE-2021-37976 这两个漏洞最为严重,因为它们已被广泛利用。
漏洞 CVE-2021-37975,是 Chrome V8 JavaScript 引擎中的一个高严重性的 "use after free" 漏洞,研究人员在9月24日披露了这个漏洞,并希望保持匿名。漏洞 CVE-2021-37976,被描述为 "核心信息泄漏",并被指定为中等严重性级别。该漏洞是由 Google TAG 的 Clément Lecigne 于 2021 年 9 月 21 日在 Sergei Glazunov 和 Google Project Zero 的 Mark Brand 的技术协助下发现的。
最后,谷歌表示 Chrome 用户应执行手动升级或重新启动浏览器以安装最新版本,并且在大多数用户更新完毕前不会披露漏洞相关细节。
