Chrome fixes zero-day flaws under hacker attack — update now

Out-of-date browsers can be hacked by malicious websites, web apps

Google yesterday (Oct. 28) pushed out an update for Chrome on the desktop that fixes eight security vulnerabilities, including two serious "zero-day" flaws that are already under attack by hackers unnamed.

The update takes Chrome to version 95.0.4638.69 for Windows, Mac and Linux. Windows and Mac users can usually just relaunch the browser to install the update, while Linux users may have to wait until their distribution bundles the update into its regular update package.

Otherwise, you can force a Chrome update by clicking the three vertical dots at the top right of the browser window, then mousing down and clicking Help. Click "About Google Chrome" in the fly-out menu that appears, and a new tab will either tell you that Chrome is up-to-date or will download the update.

How these Chrome flaws can be exploited

The first of the two zero-day flaws patched involves "insufficient validation of untrusted input in Intents," a protocol whereby Chrome finds the best web app to handle a particular purpose (catalogued as vulnerability CVE-2021-38000). The other allows "inappropriate implementation in V8," Chrome's JavaScript engine (catalogued as vulnerability CVE-2021-38003).

We're going to guess that the first permits a web app to do naughty things, while the second permits a website to do the same. Google isn't saying anything further.

Because the reporters of these flaws all work for Google, they likely won't be getting any bug-bounty money. But external researchers will be for some of the other flaws patched, including Wei Yuan of MoyunSec VLab, who will net $10,000 for his discovery of a "use-after-free" bug in Chrome's sign-in protocol. 

Use-after-free means that the memory space wasn't properly reallocated after the protocol finished using it, potentially allowing a malicious program to literally invade the space.

The other four described flaws also have to do with use-after-free issues, insufficient validation, V8 or some combination of those. Google isn't saying anything about the eighth vulnerability being patched.

Zero-days as far as the eye can see

Some other browsers that share the Chromium open-source underpinnings with Chrome have also updated to the new version, including Brave and Microsoft Edge. (Like Chrome, you can just relaunch those to update them.) Others, such as Opera and Vivaldi, are not quite there yet.

Google has patched more than a dozen zero-days flaws already in this exceptionally busy year. We're not sure if that's a good thing, indicating a greater share of flaws may be being found, or a bad thing that there may be more zero-days in general.

Here's a list of recent Chrome desktop updates.

• Oct. 28: 95.0.4638.69
• Oct. 19: 95.0.4638.54
• Oct. 7: 94.0.4606.81
• Sept. 30: 94.0.4606.71
• Sept. 24: 94.0.4606.61
• Sept. 21: 94.0.4606.54
• Sept. 13: 93.0.4577.82
• Aug. 31: 93.0.4577.63
• Aug. 16: 92.0.4515.159
• Aug. 2: 92.0.4515.131
• July 20: 92.0.4515.107
• July 15: 91.0.4472.164

Source