For the second time this month, Google has patched two previously unknown or 'zero-day' security flaws in Chrome that are already being exploited by attackers.
Google has released a stable channel Chrome update for Windows, Mac and Linux machines to address two zero-day flaws affecting the most popular browser on the web.
The update pushes Chrome up to version 94.0.4606.71. Due to the attacks, it's prudent for organizations and consumers to update as soon as it becomes available. Google says it will roll out in the "coming days/weeks".
Another medium-severity flaw, tracked as CVE-2021-37976, is an "information leak in core" and was reported by Google's Threat Analysis Group (TAG) with assistance from Google Project Zero security researchers.
"Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild," Google said in release notes.
These latest two flaws mean Google has patched 12 zero-days in Chrome since the beginning of 2021. Google patched two zero-day Chrome flaws on September 13, marking its 10th zero-day patch for the year.
TAG is the group at Google specializing in tracking state-sponsored attackers and has previously uncovered nefarious activity from North Korean hackers and attacks on iOS, and mainstream browsers.
Google Project Zero researcher Samuel Groß recently kicked off a project to resolve V8 bugs, which he noted are particular dangerous.
"V8 bugs typically allow for the construction of unusually powerful exploits," Groß warned. These bugs are also resistant to modern hardware-assisted mitigations.
Details of the two new Chrome bugs haven't yet been added Google Project Zero's "0-day in the wild" tracker. After adding these Chrome bugs, the list would include a total 48 zero-day bugs found to have been exploited in the wild since the beginning of 2021. These bugs have affected software and hardware from from Google, Apple, Adobe, Microsoft, Qualcomm, and ARM.
Google Project Zero and TAG says there has been an uptick in zero-day exploits this year, but what that means in terms of offense and defense is less clear.
"There is not a one-to-one relationship between the number of 0-days being used in-the-wild and the number of 0-days being detected and disclosed as in-the-wild. The attackers behind 0-day exploits generally want their 0-days to stay hidden and unknown because that's how they're most useful," Google's security researchers wrote.
The rise in zero-days could be because defenders are getting better at identifying and detecting them. But it could also be because attackers are using them more frequently because there are more platforms to attack and there are more commercial outfits selling governments access to zero-days, thus reducing the need for technical skills to use them.