Both Microsoft and Google have released new stable channel versions, patching a critical Chromium-based Use-After-Free (UAF) vulnerability that could allow attackers to execute arbitrary code after successful exploitation. The version of Edge is 94.0.992.31, and the version of Google browser is 94.0.4606.61. The new build version is based on Chromium version 94.0.4606.54.
The ID of the vulnerability is CVE-2021-37973. The vulnerability was discovered by Google security engineer Clément Lecigne with the assistance of Sergei Glazunov and Mark Brand. Google said it found a UAF vulnerability in its Portals function.
According to CERT, remote attackers can use this vulnerability to execute arbitrary code or cause a denial of service in the system. When a program or application fails to properly manage the memory pointer after releasing the dynamic memory part, this, in turn, will cause the attacker to execute code.
The pointer stores data related to an address in the memory that the application is using. But dynamic memory will be constantly refreshed and reallocated for use by different applications. However, if the pointer is not set to empty when its corresponding memory space is released or unallocated, the attacker can successfully use the pointer data to gain access to the same memory portion, thereby passing arbitrary malicious code. This is why the vulnerability is named Use-After-Free.
However, Edge 94.0.992.31 and Chrome 94.0.4606.61 have patched this critical memory-based security vulnerability, and it is recommended that users update their browsers to these versions.
