Google has released Chrome 95.0.4638.69 for Windows, Mac and Linux to fix two zero-day vulnerabilities already being used by intruders.
"Google is aware that expoits for CVE-2021-38000 and CVE-2021-38003 are already available," Google revealed in the list of security patches in today's version of Google Chrome.
But we know that new edition it may take some time to reach everyone. So a good idea is to manually update from the Stable channel desktop.
To install the Chrome update immediately, you should go to the Chrome menu > Help > About Google Chrome and the program tours will start updating.
Zero-days of course were not revealed
This version of Chrome fixes a total of seven vulnerabilities, two of which are 0day already in use by malicious users.
The first 0day (CVE-2021-38000) is described as "Insufficient validation of an unreliable Intent import" and has been described as highly serious. This vulnerability was discovered by Google Threat Analysis Group's Clement Lecigne, Neel Mehta and Maddie Stone on September 15, 2021.
The second 0day, (CVE-2021-38003), is an “Improper Implementation” bug, again of high severity in machine Chrome V8 JavaScript. This vulnerability was also discovered by Lecigne and reported on October 24th.
At this time, Google has not provided further details for obvious reasons. However, as the new version is released we will learn more in future posts from the Google TAG blogs or Project Zero.
With these fixes, Google has closed 15 zero-days of Chrome since the beginning of 2021.
The other 13 zero-days corrected this year are listed below:
CVE-2021-21148 - 4 February 2021
CVE-2021-21166 - March 2, 2021
CVE-2021-21193 - March 12, 2021
CVE-2021-21220 - April 13, 2021
CVE-2021-21224 - 20 April 2021
CVE-2021-30551 - 9 June 2021
CVE-2021-30554 - 17 June 2021
CVE-2021-30563 - 15 July 2021
CVE-2021-30632 and CVE-2021-30633 - 13 September
CVE-2021-37973 - 24 September 2021
CVE-2021-37976 and CVE-2021-37975 - September 30, 2021
