Chrome under hacker attack — how to update ASAP
Hackers using flaws to crack open Chrome
Google patched Chrome for Windows, Mac and Linux Monday (Sept. 13) to fix two zero-day flaws being actively used by hackers in attacks. Nine other vulnerabilities were also fixed. You'll want to update your browser ASAP to make sure you're not a sitting duck.
To update Chrome in Windows or Mac, it's usually enough to just close the browser and relaunch it again. Users of some Linux distributions, however, may have to wait for their distro to package the Chrome fix along with other software updates.
- How to run a Safety Check in Google Chrome
- The best Windows 10 antivirus software
- Plus: I thought Amazon Fire TVs were trash — but the Omni changes that
If relaunching Chrome doesn't update it, then move your mouse cursor up to the three little vertical dots in the top right of the browser window. Click the dots, then move your cursor down to hover over "Help" in the drop-down menu.
A smaller window will pop out to the left. Click "About Google Chrome." Your browser will either tell you that it's up to date or will update itself and then prompt you to relaunch. The version of Chrome that you want to be on right now is 93.0.4577.82.
No time to prepare
The two patched zero-day flaws, catalogued as CVE-2021-30632 and CVE-2021-30633, were both reported to Google by anonymous sources (possibly the same source) on Sept. 8.
They're called "zero days" because hackers were already using them in attacks before Chrome found out, giving the developers no time to prepare fixes before exploitation began. These are the first zero-days patched in Chrome since mid-July.
The first is described as an "out-of-bounds write in V8," which is Chrome's JavaScript engine and handles many of the moving parts on a web page. Google has patched half-a-dozen zero-days this year related to V8.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
The second flaw is characterized as "use after free in Indexed DB API," meaning that hackers figured out a way to hijack running memory allocated to a programming interface that handles JavaScript interactions with a database.
JavaScript is one of the chief components that make interactive websites possible. Before JavaScript, websites were largely static. Without JavaScript and similar technologies, you wouldn't be able to open a Gmail message without reloading the entire page.
Possible international espionage
There's no information yet on who was using these two zero-days flaws, or who was being targeted. But most of the Chrome zero-days fixed in 2021 have involved highly resourced nation-state attackers — i.e., government spies — going after high-value targets, which can include political dissidents, foreign diplomats or others whose computers and smartphones might contain lots of valuable information.
The other flaws fixed included three in the Blink rendering engines that builds web pages in Chrome, and two in the ANGLE graphics engine. Most of their discoverers were named, but we liked the one identified only as "@SorryMybad."
Chrome shares its open-source Chromium codebase with several other browsers, and not all had been updated yet at the time of this writing. Despite yesterday's (Sept. 14) Patch Tuesday round of Microsoft updates, the Microsoft Edge browser was still based on Chromium 93.0.4577.63, while Opera was even further back with Chromium 92.0.4515.159.
However, both Brave and Vivaldi have updated themselves to the current version of Chromium.
Recent Chrome updates
Here's a list of the Chrome desktop updates in the past six months of 2021.
- Sept. 13: 93.0.4577.82
- Aug. 31: 93.0.4577.63
- Aug. 16: 92.0.4515.159
- Aug. 2: 92.0.4515.131
- July 20: 92.0.4515.107
- July 15: 91.0.4472.164
- June 24: 91.0.4472.123/.124
- June 17: 91.0.4472.114
- June 14: 91.0.4472.106
- June 9: 91.0.4472.101
- May 25: 91.0.4472.77
- May 10: 90.0.4430.212
- April 26: 90.0.4430.93
- April 20: 90.0.4430.85
- April 14: 90.0.4430.72
- April 13: 89.0.4389.128
- March 30: 89.0.4389.114
- March 12: 89.0.4389.90
- March 5: 89.0.4389.82
- March 2: 89.0.4389.72
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.