Google has updated Chrome to version 96.0.4664.110 for Windows, Mac, and Linux, in the Stable channel due to a high-severity zero-day vulnerability that the firm has confirmed as currently being exploited in the wild. According to the announcement, the update might take time to reach everyone, but we were able to get the update right away on our test system.
The update contains five fixes, which you can see below along with the corresponding bounty reward paid for the disclosure.
- [$NA] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26
- [$5000] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16
- [$5000] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19
- [$TBD] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair on 2021-10-21
- [$TBD] High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09
Google also notes that "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." which likely applies to CVE-2021-4102 and of which is already actively being exploited in the wild according to the search giant.
According to Bleeping Computer, who first spotted this, it is the 16th such zero-day vulnerability that the company has patched this year, so not entirely uncommon either. The other 15 zero-days patched in 2021 are listed below:
- CVE-2021-21148 - February 4th
- CVE-2021-21166 - March 2nd
- CVE-2021-21193 - March 12th
- CVE-2021-21220 - April 13th
- CVE-2021-21224 - April 20th
- CVE-2021-30551 - June 9th
- CVE-2021-30554 - June 17th
- CVE-2021-30563 - July 15th
- CVE-2021-30632 and CVE-2021-30633 - September 13th
- CVE-2021-37973 - September 24th
- CVE-2021-37976 and CVE-2021-37975 - September 30th
- CVE-2021-38000 and CVE-2021-38003 - October 28th
You might also remember that when Chrome 96 was released last month, it was disclosed that Chrome 97 will not get released until the first week of January, which makes patching the current version all the more important.
You can check if the update is available by going to the Chrome menu > Help > About Google Chrome. The browser will also auto-check for recent updates and if one is available will install and give an option to relaunch, upon which the update will be applied.