A week after the first security update for Chrome 96, Google released a second update. The developers have also closed a 0-day vulnerability with this update.
A week ago, Google released an update to Chrome 96.0.4664.93 to fix 22 security vulnerabilities. On December 13, Google released another update to Chrome 96.0.4664.110 to fix serious security vulnerabilities, including one that is already being used for attacks. That was the 17th 0-day vulnerability in Chrome this year.
The Chrome Release Blog lists five fixed vulnerabilities (CVE-2021-4098 to -4102), all of which were discovered and reported by outside researchers. The vulnerability CVE-2021-4098 is classified as critical.
More important than this vulnerability, however, is CVE-2021-4102, a use-after-free vulnerability in the Javascript engine V8. The vulnerability is only considered a high risk, but is apparently already being exploited to attack Chrome users. Details on how this 0-day gap is used and how widespread the attacks are cannot be found in the blog entry. Typically, exploits for such vulnerabilities are used to inject and execute code.
Three other vulnerabilities are also classified as high risk. This is a use-after-free vulnerability and a buffer overflow in the 3D renderer Swiftshader as well as a vulnerability (CVE-2021-4100) in the graphics library ANGLE (Almost Native Graphics Layer Engine).
Chrome updates are available through the built-in update functionality. They are usually downloaded and installed automatically. If you do not want to wait, you can also initiate the update manually under Help ยป About Google Chrome.
about author
