Google Says Hackers Are Actively Exploiting Two New Zero Days in Chrome, Issues Urgent Patch

Security researchers have found two new zero-day vulnerabilities actively being exploited in Chrome, prompting Google to roll out an urgent patch for everyone using its popular web browser.

Chrome 95.0.4638.69 is rolling out for Windows, Mac and Linux computers fixing a total of eight high-severity flaws, according to the release notes.

Two of those flaws are particularly dangerous, according to the stable channel update.

“Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild,” writes Prudhvikumar Bommana of the Google Chrome team. “We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”

CVE-2021-38000 deals with “insufficient validation of untrusted input in Intents,” while CVE-2021-38003 describes a bug triggered by “inappropriate implementation in V8.”

Other flaws can enable exploitation of the Sign-In, Garbage Collection, and Web Transport components, according to the bug notes. As always, Google credits the researchers handsomely, awarding bounties of up to $10,000.

The search giant is holding off the technicalities, seeking to discourage exploitation. However, with the cat out of the bag now, users must update ASAP.

To do so, hit the three-dotted options button in the upper right-hand corner of Chrome’s window, choose Settings, About Chrome and allow the browser to fetch your new version. When the download completes, simply relaunch Chrome to finis updating. Remember that incognito windows will not reopen post relaunch, so be sure to save any important work you have in progress in incognito windows or tabs.

As usual, stay safe!