Update: Google issues urgent security fix for Chrome — update right now.
Stop us if you've heard this one before: Google has patched Chrome on the desktop to fix two "zero-day" flaws being already actively exploited by hackers in the wild, as well as two other vulnerabilities. You'll need to update Chrome as well as any related browsers you have to stay safe.
To update Chrome to the latest version, 94.0.4606.71, on Windows or Mac, it's often enough to just close and relaunch the browser. Otherwise, click the three vertical dots in the upper right of the browser window, scroll down to Help and click on About Google Chrome in the fly-out menu.
- Your Apple Pay payments can be stolen over the air — here's what to do
- The best Windows 10 antivirus software
- Plus: Google Pixel 6 and Pixel 6 Pro prices just tipped — and it’s good news
That will spark up a new tab that will check to see if you have the latest version. If not, Chrome will download it for you and prompt you to relaunch.
On Linux, you'll often have to wait for your distribution's next bundle of updates. As for other browser based on the same open-source Chromium underpinning, neither Microsoft Edge, Opera, Brave nor Vivaldi had updated to 94.0.4606.71 or its equivalent at the time of this writing.
What we know about these flaws
As usual, the Chrome team isn't saying who is exploiting these vulnerabilities against whom, only that Google is "aware" that exploits for the two zero-day flaws "exist in the wild." (The adjective refers to the fact that defenders have zero days to prepare before the exploits are used — in other words, the bad guys knew about them first.)
The first zero-day flaw, catalogued as CVE-2021-37975, involves a "use after free" bug in V8, Chrome's JavaScript parser. That means another application, potentially a malicious one, could seize space on your computer's memory chips immediately after V8 is done using it, getting a toehold in your system processes before the OS has a chance to reallocate that chunk of memory.
Discovery of the flaw was attributed to an anonymous researcher.
The second zero-day, CVE-2021-37976, involved an "information leak in core." We're not quite sure what that refers to as "core" can mean a dozen different things. This flaw appears to be less serious than the other one, and its discovery is credited to Clément Lecigne of Google's Threat Analysis Group, with assists from Sergei Glazunov and Mark Brand of the Google Project Zero team.
A third flaw fixed with this update isn't a zero-day, but also involves a use-after-free bug, this time ironically in Chrome's Safe Browsing feature. Google isn't disclosing the fourth flaw yet.
This are the 47th and 48th zero-day flaws found in Chrome this year, according to an online spreadsheet that's tracking such things. A single zero-day was patched in Chrome just last week.
Chrome update timeline
Here's a timeline of the last three months of Chrome desktop stable-channel updates.
- Sept. 30: 94.0.4606.71
- Sept. 24: 94.0.4606.61
- Sept. 21: 94.0.4606.54
- Sept. 13: 93.0.4577.82
- Aug. 31: 93.0.4577.63
- Aug. 16: 92.0.4515.159
- Aug. 2: 92.0.4515.131
- July 20: 92.0.4515.107
- July 15: 91.0.4472.164
- Read next: The best internet security suites
