It's time to update desktop Google Chrome once again. Google released an emergency patch on Friday (September 24) to fix a single "zero-day" flaw that's currently out in the wild.
To update to the new version, Chrome 94.0.4606.61 (opens in new tab) for Windows, Mac and Linux, it's often enough to just close Chrome and then launch it again. Some Linux distributions need to wait for the next omnibus update package, however.
- Three unpatched iOS 15 security flaws posted online — what you need to know
- Best internet security suites to protect all your computers and smartphones
- Plus: Don't use these Chinese smartphones, European government warns
If turning Chrome off and turning it back on again doesn't work, then use your mouse cursor to click the three vertical dots at the top right of the browser window. Drag your cursor down to hover over Help in the drop-down menu, then click About Google Chrome in the fly-out menu.
A new browser tab will open and tell you whether your browser is up-to-date or not. If not, it will download the update and prompt you to relaunch.
Portals to what might be a pretty serious flaw
The vulnerability being resolved here, catalogued as CVE-2021-37973, appears to involve a use-after-free memory-handling issue in Portals, one that might permit a malicious application or function to grab that memory space while it's up for grabs.
No word on who's using it to attack whom, but it must be pretty bad if Google is updating Chrome to fix this one flaw, just three days after a major update to Chrome 94.
Portals is a fairly new browser function that lets one web page embed elements inside another in a way that permits "seamless and instant navigations between pages," according to a GitHub page explaining Portals (opens in new tab).
We don't quite get it either, but a video on a Google-run web developers' site (opens in new tab) shows images from one website appearing in another site's page, and then taking over the page when the user clicks on the images without having to reload another site. That's nice.
That's all we know about the flaw so far, other than Google stating that it "is aware that an exploit for CVE-2021-37973 exists in the wild."
The flaw's discovery is credited to Clément Lecigne of Google Threat Analysis Group, who apparently got "technical assistance" from Sergei Glazunov and Mark Brand of Google's Project Zero team.
Lecigne was also credited as one of the co-discoverers of an iOS and macOS flaw that Apple patched Thursday (Sept. 23). There's no indication yet that the two flaws are related.
Google also maintains and updates the Chromium open-source project that is the foundation of many other browsers, including Brave, Microsoft Edge, Opera and Vivaldi.
None of those four browsers had updated to the newest version of Chromium at the time of this writing.
Chrome timeline of updates
By our count, this is the 12th zero-day flaw that Google has patched in Chrome for the desktop this year. Here's a timeline of the most recent (and not-so-recent) Chrome desktop updates.
- Sept. 24: 94.0.4606.61 (opens in new tab)
- Sept. 21: 94.0.4606.54 (opens in new tab)
- Sept. 13: 93.0.4577.82 (opens in new tab)
- Aug. 31: 93.0.4577.63 (opens in new tab)
- Aug. 16: 92.0.4515.159 (opens in new tab)
- Aug. 2: 92.0.4515.131 (opens in new tab)
- July 20: 92.0.4515.107 (opens in new tab)
- July 15: 91.0.4472.164 (opens in new tab)
- June 24: 91.0.4472.123/.124 (opens in new tab)
- June 17: 91.0.4472.114 (opens in new tab)
- June 14: 91.0.4472.106 (opens in new tab)
- June 9: 91.0.4472.101 (opens in new tab)
- May 25: 91.0.4472.77 (opens in new tab)
- May 10: 90.0.4430.212 (opens in new tab)
- April 26: 90.0.4430.93 (opens in new tab)
- April 20: 90.0.4430.85 (opens in new tab)
- April 14: 90.0.4430.72 (opens in new tab)
- April 13: 89.0.4389.128 (opens in new tab)
- March 30: 89.0.4389.114 (opens in new tab)
- March 12: 89.0.4389.90 (opens in new tab)
- March 5: 89.0.4389.82 (opens in new tab)
- March 2: 89.0.4389.72 (opens in new tab)
