{"id":18911,"date":"2021-10-02T07:58:28","date_gmt":"2021-10-02T11:58:28","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/three-vulnerabilities-in-chrome\/18911\/"},"modified":"2022-05-05T11:03:34","modified_gmt":"2022-05-05T07:03:34","slug":"three-vulnerabilities-in-chrome","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/three-vulnerabilities-in-chrome\/18911\/","title":{"rendered":"Three vulnerabilities in Google Chrome"},"content":{"rendered":"<p>Google has released an emergency update for the Chrome browser that addresses three vulnerabilities: <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-37974\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2021-37974<\/a>, <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-37975\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2021-37975<\/a>, and <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-37976\" target=\"_blank\" rel=\"nofollow noopener\">CVE-2021-37976<\/a>. Google experts consider one of the vulnerabilities as critical and the other two as highly dangerous.<\/p>\n<p>What\u2019s worse: <a href=\"https:\/\/chromereleases.googleblog.com\/2021\/09\/stable-channel-update-for-desktop_30.html\" target=\"_blank\" rel=\"nofollow noopener\">according to Google<\/a> cybercriminals have already exploited two of these three vulnerabilities. Therefore, Google advices all Chrome users to immediately update browser to version 94.0.4606.71. These vulnerabilities are also relevant to other browsers based on the Chromium engine \u2014 for instance, Microsoft recommends updating Edge to version 94.0.992.38.<\/p>\n<h2>Why these vulnerabilities in Google Chrome are dangerous<\/h2>\n<p>CVE-2021-37974 and CVE-2021-37975 are <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/use-after-free\/\" target=\"_blank\" rel=\"noopener\">use-after-free (UAF)<\/a> class vulnerabilities \u2014 they exploit incorrect use of heap memory and, as a result, can lead to arbitrary code execution on the targeted computer.<\/p>\n<p>The first one, CVE-2021-37974, is related to the Safe Browsing component, a Google Chrome subsystem that warns users about unsafe websites and downloads. The CVSS v3.1 severity rating for this vulnerability is 7.7 out of 10.<\/p>\n<p>The second vulnerability, CVE-2021-37975, was found in Crome\u2019s V8 JavaScript engine. This one is considered the most dangerous of all three \u2014 8.4 on CVSS v3.1 scale, which makes it a \u2018critical\u2019 risk vulnerability. Unknown malefactors are already using this vulnerability in their attacks on Chrome users.<\/p>\n<p>The cause of the third vulnerability, CVE-2021-37976, is data overexposure caused by the core of Google Chrome. It\u2019s slightly less dangerous \u2014 7.2 on the CVSS v3.1 scale, however it is also already being used by cybercriminals.<\/p>\n<h2>How cybercriminals can exploit these vulnerabilities<\/h2>\n<p>Exploitation of all three vulnerabilities requires the creation of a malicious web page. All attackers need is to create a website with an embedded exploit and a way to lure victims to it. As a result, exploits for two use-after-free vulnerabilities allows the attackers to execute arbitrary code on the computers of unpatched Chrome users who have accessed the page. That can lead to the compromise of their system. An exploit for the third vulnerability, CVE-2021-37976, makes it possible for the attackers to gain access to the victim\u2019s confidential information.<\/p>\n<p>Google will most likely reveal more details on the vulnerabilities after the majority of users have up-dated their browsers. In any case, it\u2019s not worth delaying the update \u2014 much better do it as soon as possible.<\/p>\n<h2>How to stay safe<\/h2>\n<p>The first step for everyone is to update browsers on all devices that have access to the Internet. Quite often the update is installed automatically when the browser is restarted, however many users do not restart their computer for a long time, so their browser may remain vulnerable for several days or even weeks. In any case, we recommend checking the version of Chrome. Here\u2019s how to do it: click on the <em>Customise and Control Google Chrome<\/em> button at the top-right corner of the browser window and choose <em>Help<\/em> -&gt; <em>About Google Chrome<\/em>. If your browser version is not the latest available, Chrome will automatically start the update.<\/p>\n<p>For extra protection we recommend users to install <a href=\"https:\/\/me-en.kaspersky.com\/premium?icid=me-en_bb2022-kdplacehd_acq_ona_smm__onl_b2c_kdaily_lnk_sm-team___kprem___\" target=\"_blank\" rel=\"noopener\">security solutions<\/a> on all devices with Internet access. This way, even you\u2019re caught without an up-to-date browser, proactive protection technologies will minimize the possibility of successful vulnerability exploitation.<\/p>\n<p>We also recommend employees of corporate information security departments to use <a href=\"https:\/\/me-en.kaspersky.com\/small-to-medium-business-security?icid=me-en_kdailyplacehold_acq_ona_smm__onl_b2b_kasperskydaily_wpplaceholder_______\" target=\"_blank\" rel=\"noopener\">security solutions on all devices<\/a>, monitor security updates and employ automatic update delivery and control system. It would be also reasonable to prioritize the installation of browser updates.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"ksos-generic\">\n","protected":false},"excerpt":{"rendered":"<p>Google released an update that patches three dangerous vulnerabilities in Google Chrome. Update your browser right away!<\/p>\n","protected":false},"author":2706,"featured_media":18912,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1318,1917,1486],"tags":[16,22,121,2426,268],"class_list":{"0":"post-18911","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-business","8":"category-smb","9":"category-threats","10":"tag-chrome","11":"tag-google","12":"tag-updates","13":"tag-use-after-free","14":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/three-vulnerabilities-in-chrome\/18911\/"},{"hreflang":"en-in","url":"https:\/\/www.kaspersky.co.in\/blog\/three-vulnerabilities-in-chrome\/23438\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/three-vulnerabilities-in-chrome\/9469\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/three-vulnerabilities-in-chrome\/25504\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/three-vulnerabilities-in-chrome\/23582\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/three-vulnerabilities-in-chrome\/23007\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/three-vulnerabilities-in-chrome\/26191\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/three-vulnerabilities-in-chrome\/25718\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/three-vulnerabilities-in-chrome\/31617\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/three-vulnerabilities-in-chrome\/10115\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/three-vulnerabilities-in-chrome\/42265\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/three-vulnerabilities-in-chrome\/17832\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/three-vulnerabilities-in-chrome\/18229\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/three-vulnerabilities-in-chrome\/15373\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/three-vulnerabilities-in-chrome\/27516\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/three-vulnerabilities-in-chrome\/31729\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/three-vulnerabilities-in-chrome\/24437\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/three-vulnerabilities-in-chrome\/29793\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/three-vulnerabilities-in-chrome\/29592\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/vulnerabilities\/","name":"vulnerabilities"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18911","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2706"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=18911"}],"version-history":[{"count":1,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18911\/revisions"}],"predecessor-version":[{"id":18913,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/18911\/revisions\/18913"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/18912"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=18911"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=18911"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=18911"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}