Heads up, kids — Google has released its second emergency update for Chrome this month.
Chrome version 89.0.4389.90 for Windows, Mac and Linux fixes five security bugs, one of which (catalogued as CVE-2021-21193) has to do with unprotected memory in Chrome's Blink rendering engine.
"Google," the official Chrome blog post (opens in new tab) dryly notes, "is aware of reports that an exploit for CVE-2021-21193 exists in the wild."
- Microsoft Edge just got a killer upgrade Chrome can’t match
- Chrome vs. Firefox vs. Edge: Which browser gobbles up the most RAM?
- Plus: Google is fixing the most annoying thing about Gmail
In other words, the bad guys knew about this Blink vulnerability and launched attacks before the good guys could get their boots on — the classic definition of a zero-day exploit. The flaw was reported to Google three days ago by a researcher who apparently wishes to remain anonymous.
How to update Chrome
Bringing your Chrome browser up-to-date is easy on Windows and Macs. Closing and relaunching the browser usually does the trick.
Otherwise, click the three vertical dots at the top right of the Chrome browser window with your mouse cursor, scroll down to Help and click About Google Chrome in the fly-out window.
A new browser tab will open; it will either tell you that "Google Chrome is up to date" or download the latest version and prompt you to relaunch the browser. Again, you want to be on version 89.0.4389.90.
On Linux, you'll probably have to wait for your distribution to put the Chrome update in the distribution's regular software update cycle.
Four other fixes
Two of the other four flaws in today's patches were reported by non-Google parties. One is a memory-handling flaw in WebRTC, the multimedia engine built into modern web browsers; its pseudonymous finder, "raven," will get a $500 bug bounty for their troubles.
The other is a heap buffer overflow — basically a memory overrun — in Chrome tab groups, which was found by Abdulrahman Alqabandi of the Microsoft Browser Vulnerability Research team.
Google discovered and fixed two other flaws on its own and isn't providing any details about those yet.
On March 2, Google patched 47 Chrome security flaws, including an audio flaw that was already being exploited in the wild.