If you are using Google Chrome, zero-day vulnerability in portals means you need to update immediately
If you are using Google Chrome, you should update immediately. A zero-day security vulnerability has been fixed as part of Chrome 94.0.4606.61, which was released as an emergency update for Windows, Mac, and Linux. The exploit received the CVE ID CVE-2021-37973, although the company withheld information about the exploit until the majority of users updated. The update is being deployed on the stable channel and users should update as soon as they can. To check your version of Chrome, click on the overflow menu at the top right, go to “more”, and click “help”. It will show which version of Chrome you have installed and also install the latest version available.
In a security advisory issued by the company (via BipComputer), he said that “Google is aware that an exploit for CVE-2021-37973 exists in nature.” Google says this is a “use after free” attack in portals, which means that a bug in portals allows freed memory to always be referenced. This can lead to unexpected behavior and can lead to exploitation of the browser under ideal conditions for an attacker. Portals are a feature the company started testing in 2019 and are used for onboarding and seamless transitions between pages.
The zero-day security flaw fixed today was reported on the day the first stable version of Google Chrome 94 was released on September 21. It was discovered by Clément Lecigne of Google TAG, with the help of Sergei Glazunov and Mark Brand of Google Project Zero. Project Zero is a security division employed by Google, which was founded in 2014. The main mission of the team is to discover zero-day vulnerabilities, that is, vulnerabilities that are unknown (or not addressed by) the part that should be interested in its mitigation. “Heartbleed” is one such zero-day exploit, which has been privately reported by two separate security teams to OpenSSL. One of these security teams operated under Google and ultimately led to the creation of Project Zero.
As this bug was disclosed by Google, this brings the tally to 11 zero-day vulnerabilities discovered in Google Chrome in 2021.