Google Chrome under attack via zero-day flaw — what to do now

Google Chrome
(Image credit: Big Tuna Online/Shutterstock)

Update your desktop Chrome browser, because doing so patches a zero-day flaw that's being actively exploited in the wild by undisclosed hackers. 

Google's official Chrome blog says only that the vulnerability, given the catalog number CVE-2021-21166, is an "object lifecycle issue in audio" with "high" severity and that Google "is aware of reports" that the flaw is being exploited. 

Google's general policy is to not release too many details about vulnerabilities before patches can be widely deployed. This one is considered a zero-day flaw because it was exploited before Chrome was aware the flaw existed.

To update Chrome on Windows and Mac, you often need to just close and then relaunch the browser. But to be sure, click the Settings icon (it looks like three vertical dots) in the top right of the browser window. 

In the resulting pop-out menu, slide your cursor down to Help, then slide over and click "About Google Chrome" in the fly-out menu that appears.

Chrome will open a new tab notifying you whether your browser build is up to date. If it isn't, Chrome will download the update automatically, then prompt you to relaunch the browser. You want to end up on version 89.0.4389.72.

Linux distributions generally update the Chrome browser through routine updates covering all installed software.

The discovery of this vulnerability is credited to Alison Huffman of the Microsoft browser vulnerability research team. Huffman is credited with finding two other flaws patched in this week's Chrome update, which patches a total of 47 flaws.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.