Google announced on Monday that it will be issuing patches for 11 high severity vulnerabilities found in Chrome, including two that are currently being exploited in the wild. The patch, which is part of the Stable Channel Update for Chrome 93 (93.0.4577.82), will be released for Windows, Mac, and Linux (if it hasn’t already). Chrome users are expected to see the roll out in the coming days and weeks.
Readers should note that other popular browsers such as Brave and Edge are also Chromium-based and therefore likely to be vulnerable to these flaws too. Keep an eye out for updates.
You can check what version of Chrome you are running by opening About Google Chrome from the main menu.
The fixes address high severity vulnerabilities reported to Google by independent researchers from as early as August of this year. That said, the company has included names of the researchers who found the flaws in their announcement.
Because threat actors are currently exploiting the two aforementioned vulnerabilities, Google provides little to no information on how the attacks against these weaknesses are being carried out, or other precautionary measures users should be looking out for. Per Google:
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
V8, the thorn in Chrome's side?
Nobody will be surprised to see that one of the in-the-wild exploits affects Chrome's V8 engine.
11 zero-days and counting
To date, the Google Chrome team has patched 11 zero-day vulnerabilities in 2021. Previous patches are from the following vulnerabilities, some of which we have covered here in the Malwarebytes Labs blog:
With so much bad PR, you might expect Chrome's market share to suffer; yet, it remains by far the most popular browser. Users—and the Google Chrome brand—seem unaffected.
Make sure you update your Chrome or Chromium-based browser once you see the patch available, or better still, make sure your browser is set to update itself.