Google Chrome zero-day flaw under attack — what to do now

The Google Chrome logo displayed on a laptop screen.
(Image credit: monticello/Shutterstock)

Google has updated Chrome to fix 14 security flaws, including one "zero-day" flaw that's actively being exploited by hackers unknown. 

To make sure your desktop version of Chrome for Windows or Mac is updated to version 91.0.4472.101, click the three vertical dots at the top right of the browser window, scroll down to Help, and then click on "About Google Chrome" in the fly-out menu. 

A new tab will open. If it tells you your browser is up-to-date, you're done. If not, it will automatically download the new version, after which you have to relaunch the browser. (Linux users may have to wait for their distribution's next update.)

The zero-day, catalogued as CVE-2021-30551, is related to a Windows flaw, also a zero-day, that Google researchers discovered last week and Microsoft patched yesterday (June 8). That's according to Shane Huntley, director of Google's Threat Analysis Group.

The Chrome zero-day is categorized in today's Chrome Releases blog post as due to "type confusion in V8." V8 is the open-source JavaScript rendering engine used by Chrome and other browsers based on the Chromium project, including Brave, Microsoft Edge, Opera and Vivaldi.

None of those other four browsers had incorporated the Chrome patch at the time of this writing Wednesday evening Eastern time, but we'll show you how to check at the end of this piece.

It's not clear how technically similar the Chrome and Microsoft zero-days are. The Microsoft one affects HTML parsing used in Internet Explorer and other legacy software, but that software is used by the Chromium-based Edge only when in "Internet Explorer mode."

Bleeping Computer noted that this is the sixth Chrome zero-day flaw patched so far in 2021. Two patched by Google in April were used in conjunction with two Microsoft flaws discovered by Kaspersky and patched by Microsoft yesterday (June 8).

All of these zero-day flaws seem to have been used in sophisticated nation-state attacks against specific targets, presumably for espionage purposes. But as details leak out about the flaws, criminals may start using them for more indiscriminate attacks against a wider range of targets.

The security risk of today's Chrome zero-day is rated "High." However, there's another fix for a flaw marked "Critical" that involves "use after free in BFCache," which means that a vulnerability exists in the way Chrome holds recently viewed web pages in a computer's running memory.

How to check if Edge, Brave, Opera or Vivaldi are up to date with Chrome

Here's a list of the most recent Chrome/Chromium updates. 

Among other Chromium browsers, Brave uses Chrome's version numbers, so it's easy to see whether it's up to date. 

In Edge, you have to type "edge://version" into the address bar and hit Enter or Return.  In the resulting page, "User agent" will tell you the corresponding version of Chrome. Edge and Brave can be updated the same way as Chrome.

In Opera and Vivaldi, click the browser icon in the top left corner, then Help > About. Under "User Agent" or "Browser Identification," you'll see the corresponding Chrome version number. 

In Opera, that page will also trigger an update if one is available; in Vivaldi, you click Help > Check for Updates.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.