Update Google Chrome now to fix these flaws being attacked by hackers

Chrome VPN
(Image credit: Future)

Update: Google issues urgent security fix for Chrome — update right now

Stop us if you've heard this one before: Google has patched Chrome on the desktop to fix two "zero-day" flaws being already actively exploited by hackers in the wild, as well as two other vulnerabilities. You'll need to update Chrome as well as any related browsers you have to stay safe.

To update Chrome to the latest version, 94.0.4606.71, on Windows or Mac, it's often enough to just close and relaunch the browser. Otherwise, click the three vertical dots in the upper right of the browser window, scroll down to Help and click on About Google Chrome in the fly-out menu. 

That will spark up a new tab that will check to see if you have the latest version. If not, Chrome will download it for you and prompt you to relaunch.

On Linux, you'll often have to wait for your distribution's next bundle of updates. As for other browser based on the same open-source Chromium underpinning, neither Microsoft Edge, Opera, Brave nor Vivaldi had updated to 94.0.4606.71 or its equivalent at the time of this writing.

What we know about these flaws

As usual, the Chrome team isn't saying who is exploiting these vulnerabilities against whom, only that Google is "aware" that exploits for the two zero-day flaws "exist in the wild." (The adjective refers to the fact that defenders have zero days to prepare before the exploits are used — in other words, the bad guys knew about them first.)

The first zero-day flaw, catalogued as CVE-2021-37975, involves a "use after free" bug in V8, Chrome's JavaScript parser. That means another application, potentially a malicious one, could seize space on your computer's memory chips immediately after V8 is done using it, getting a toehold in your system processes before the OS has a chance to reallocate that chunk of memory. 

Discovery of the flaw was attributed to an anonymous researcher.

The second zero-day, CVE-2021-37976, involved an "information leak in core." We're not quite sure what that refers to as "core" can mean a dozen different things. This flaw appears to be less serious than the other one, and its discovery is credited to Clément Lecigne of Google's Threat Analysis Group, with assists from Sergei Glazunov and Mark Brand of the Google Project Zero team.

A third flaw fixed with this update isn't a zero-day, but also involves a use-after-free bug, this time ironically in Chrome's Safe Browsing feature. Google isn't disclosing the fourth flaw yet.

This are the 47th and 48th zero-day flaws found in Chrome this year, according to an online spreadsheet that's tracking such things. A single zero-day was patched in Chrome just last week.

Chrome update timeline

Here's a timeline of the last three months of Chrome desktop stable-channel updates.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.