If you use Google Chrome, a zero-day vulnerability in Portals means you should update immediately

XDA

By Adam Conway

Published Sep 27, 2021

A zero-day vulnerability in Google Chrome's Portals means that you should update immediately, as it has been exploited in the wild.

If you use Google Chrome, you should update immediately. A zero-day security flaw was fixed as a part of Chrome 94.0.4606.61, which was released as an emergency update for Windows, Mac, and Linux. The exploit has been assigned the CVE ID CVE-2021-37973, though the company has withheld information about the exploit until the majority of users have updated. The update is rolling out on the stable channel now, and users should update as soon as they can. To check your Chrome version, click the overflow menu in the top right, go to "more", and click "help". It will say the Chrome version that you have installed, and will also install the latest available to you.

In a security advisory issued by the company (via BleepingComputer), it said that "Google is aware that an exploit for CVE-2021-37973 exists in the wild." Google says that this is a "use after free" attack in Portals, which means that a bug in Portals allows memory that has been freed to still be referenced. This can lead to unexpected behavior and can lead to exploitation of the browser in ideal conditions for an attacker. Portals are a feature that the company began testing in 2019, and are used for embedding and seamless transitions between pages.

The zero-day security flaw fixed today was reported the day the first Google Chrome 94 stable release was published, on September 21. It was discovered by Clément Lecigne from Google TAG, with assistance from Sergei Glazunov and Mark Brand from Google Project Zero. Project Zero is a security division employed by Google, which was founded in 2014. The team’s primary mission is to discover zero-day vulnerabilities – that is, vulnerabilities that are unknown (or unaddressed by) the party that should be interested in its mitigation. “Heartbleed” is one such zero-day exploit, which was privately reported by two separate security teams to OpenSSL. One of these security teams operated under Google and eventually led to the creation of Project Zero.

With this bug having been disclosed by Google, that brings the tally up to 11 zero-day vulnerabilities discovered in Google Chrome in 2021.