Chrome on desktop gets emergency patch to prevent hacker attack — what to do
We have few details on the flaw being fixed, but it's bad enough to warrant this solo patch
It's time to update desktop Google Chrome once again. Google released an emergency patch on Friday (September 24) to fix a single "zero-day" flaw that's currently out in the wild.
To update to the new version, Chrome 94.0.4606.61 for Windows, Mac and Linux, it's often enough to just close Chrome and then launch it again. Some Linux distributions need to wait for the next omnibus update package, however.
- Three unpatched iOS 15 security flaws posted online — what you need to know
- Best internet security suites to protect all your computers and smartphones
- Plus: Don't use these Chinese smartphones, European government warns
If turning Chrome off and turning it back on again doesn't work, then use your mouse cursor to click the three vertical dots at the top right of the browser window. Drag your cursor down to hover over Help in the drop-down menu, then click About Google Chrome in the fly-out menu.
A new browser tab will open and tell you whether your browser is up-to-date or not. If not, it will download the update and prompt you to relaunch.
Portals to what might be a pretty serious flaw
The vulnerability being resolved here, catalogued as CVE-2021-37973, appears to involve a use-after-free memory-handling issue in Portals, one that might permit a malicious application or function to grab that memory space while it's up for grabs.
No word on who's using it to attack whom, but it must be pretty bad if Google is updating Chrome to fix this one flaw, just three days after a major update to Chrome 94.
Portals is a fairly new browser function that lets one web page embed elements inside another in a way that permits "seamless and instant navigations between pages," according to a GitHub page explaining Portals.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
We don't quite get it either, but a video on a Google-run web developers' site shows images from one website appearing in another site's page, and then taking over the page when the user clicks on the images without having to reload another site. That's nice.
That's all we know about the flaw so far, other than Google stating that it "is aware that an exploit for CVE-2021-37973 exists in the wild."
The flaw's discovery is credited to Clément Lecigne of Google Threat Analysis Group, who apparently got "technical assistance" from Sergei Glazunov and Mark Brand of Google's Project Zero team.
Lecigne was also credited as one of the co-discoverers of an iOS and macOS flaw that Apple patched Thursday (Sept. 23). There's no indication yet that the two flaws are related.
Google also maintains and updates the Chromium open-source project that is the foundation of many other browsers, including Brave, Microsoft Edge, Opera and Vivaldi.
None of those four browsers had updated to the newest version of Chromium at the time of this writing.
Chrome timeline of updates
By our count, this is the 12th zero-day flaw that Google has patched in Chrome for the desktop this year. Here's a timeline of the most recent (and not-so-recent) Chrome desktop updates.
- Sept. 24: 94.0.4606.61
- Sept. 21: 94.0.4606.54
- Sept. 13: 93.0.4577.82
- Aug. 31: 93.0.4577.63
- Aug. 16: 92.0.4515.159
- Aug. 2: 92.0.4515.131
- July 20: 92.0.4515.107
- July 15: 91.0.4472.164
- June 24: 91.0.4472.123/.124
- June 17: 91.0.4472.114
- June 14: 91.0.4472.106
- June 9: 91.0.4472.101
- May 25: 91.0.4472.77
- May 10: 90.0.4430.212
- April 26: 90.0.4430.93
- April 20: 90.0.4430.85
- April 14: 90.0.4430.72
- April 13: 89.0.4389.128
- March 30: 89.0.4389.114
- March 12: 89.0.4389.90
- March 5: 89.0.4389.82
- March 2: 89.0.4389.72
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.
-
schroef I noticed the article stated 12-day zero-flaw, however why do none of the HTTP site load and i get an HSTS error?Reply
On all sites when i check their certificate it says invalid. Only things which seems to work is setting the date back by 1 day. This is using osx chrome 94.0.4606.61