Skip to main content

Chrome on desktop gets emergency patch to prevent hacker attack — what to do

Image of Chrome logo
(Image credit: tanuha2001 / Shutterstock.com)

It's time to update desktop Google Chrome once again. Google released an emergency patch on Friday (September 24) to fix a single "zero-day" flaw that's currently out in the wild.

To update to the new version, Chrome 94.0.4606.61 for Windows, Mac and Linux, it's often enough to just close Chrome and then launch it again. Some Linux distributions need to wait for the next omnibus update package, however.

If turning Chrome off and turning it back on again doesn't work, then use your mouse cursor to click the three vertical dots at the top right of the browser window. Drag your cursor down to hover over Help in the drop-down menu, then click About Google Chrome in the fly-out menu. 

A new browser tab will open and tell you whether your browser is up-to-date or not. If not, it will download the update and prompt you to relaunch.

Portals to what might be a pretty serious flaw

The vulnerability being resolved here, catalogued as CVE-2021-37973, appears to involve a use-after-free memory-handling issue in Portals, one that might permit a malicious application or function to grab that memory space while it's up for grabs. 

No word on who's using it to attack whom, but it must be pretty bad if Google is updating Chrome to fix this one flaw, just three days after a major update to Chrome 94.

Portals is a fairly new browser function that lets one web page embed elements inside another in a way that permits "seamless and instant navigations between pages," according to a GitHub page explaining Portals.

We don't quite get it either, but a video on a Google-run web developers' site shows images from one website appearing in another site's page, and then taking over the page when the user clicks on the images without having to reload another site. That's nice.

That's all we know about the flaw so far, other than Google stating that it "is aware that an exploit for CVE-2021-37973 exists in the wild." 

The flaw's discovery is credited to Clément Lecigne of Google Threat Analysis Group, who apparently got "technical assistance" from Sergei Glazunov and Mark Brand of Google's Project Zero team.

Lecigne was also credited as one of the co-discoverers of an iOS and macOS flaw that Apple patched Thursday (Sept. 23). There's no indication yet that the two flaws are related. 

Google also maintains and updates the Chromium open-source project that is the foundation of many other browsers, including Brave, Microsoft Edge, Opera and Vivaldi. 

None of those four browsers had updated to the newest version of Chromium at the time of this writing.

Chrome timeline of updates

By our count, this is the 12th zero-day flaw that Google has patched in Chrome for the desktop this year. Here's a timeline of the most recent (and not-so-recent) Chrome desktop updates.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.

  • schroef
    I noticed the article stated 12-day zero-flaw, however why do none of the HTTP site load and i get an HSTS error?
    On all sites when i check their certificate it says invalid. Only things which seems to work is setting the date back by 1 day. This is using osx chrome 94.0.4606.61
    Reply
  • rgd1101
    sound like you need to update your osx
    Reply