Google has confirmed a critical security risk with Chrome and has warned users to update their web browser to the latest version. The security loophole has been marked critical because it was found to be under active exploitation by hackers before Google could roll out the fix.
Google has acknowledged the vulnerability in a new blog post that brings the Chrome update to mitigate it. Termed CVE-2021-37973, the security lapse affects Chrome users on Linux, macOS as well as Windows, as noted in the blog. As a protection against the exploitation of this risk, Google is now rolling out the Chrome 94.0.4606.61 stable channel to Windows, Mac and Linux.
The security risk has been marked as a zero-day vulnerability. This means that it was under active attack by hackers before Google could find and fix it through the update. Google confirmed this in the blog, mentioning that “an exploit for CVE-2021-37973 exists in the wild.” Such types of security flaws are much more dangerous than regular security loopholes as the hackers have a head start over the security researchers and may have already exploited it on a large scale.
Google has not yet revealed any more details on the security flaw so that the threat actors who are unaware of its existence may not exploit it any further. More details will emerge once Google feels that more of its Chrome user base has upgraded to the latest version and that the flaw cannot affect users any further.
In its blog, Google mentions it to be a Use-After-Free (UAF) vulnerability. Such security loopholes arise from the incorrect use of dynamic memory during program operation. A note by Kaspersky explains that after freeing a memory location if a program does not clear the pointer to that memory, an attacker can use the error to hack the program.
Google warns that all Chrome users should apply the new security fix to the vulnerability by updating their Chrome browsers. Users can navigate to Settings > Help > About Google Chrome to check their present version of Chrome. If the Chrome version is 94.0.4606.61 or higher, the security fix is in place and working. Anything below that means the browser is yet to be updated to apply the fix.