How can we help?
Google has released an emergency patch for its Chrome web browser following the discovery of a previously unpatched vulnerability being actively exploited in the wild.
The impact of the discovered exploit has not been disclosed; however, the bug track identifies the vulnerability as a weakness in the “use after free” functionality. This would not be the first time that a vulnerability of this type has been identified and exploited within Chrome. “Use After Free” allows data to be written to an area of memory that is no longer in use. If the data placed there can then be referenced by a process it could allow an attacker to crash, corrupt or execute code of their design.
Given previous exploitation and the identification of this vulnerability being exploited in the wild, it is likely that an attacker is able to remotely execute code on the victim’s device by having them navigate to a malicious website.
Details regarding the attacks are not being disclosed at this time as patches are only just starting to be rolled out and this may take days or weeks to complete. Detection of this vulnerability is currently limited to the identification of the version of Chrome in use.
All Chromium-based browsers before release 94.0.4606.61
Containment, Mitigations & Remediations
The patch is being rolled out to the stable desktop channel at the moment and will be available to all over the coming days and weeks.
Browsers should check for updates automatically when they launch, however manual checks, for people who leave their browsers open all the time, can be performed by clicking the Chrome menu > Help > About Google Chrome
Indicators of Compromise
No indicators of compromise have been disclosed at this time.
This is the 11th zero-day vulnerability in Chrome so far this year (2021), with the previous two disclosures also being in the month of September. While Chrome has been touted as being a more secure browser than its rivals, its prevalence makes it a highly desirable target for attackers and researchers.