Microsoft and Google have both released new Stable Channel Builds that patch a critical Chromium-based Use-After-Free (UAF) vulnerability which could allow attackers to execute arbitrary code upon successful exploitation. For Edge, it is version 94.0.992.31, while for Google Chrome, it is version 94.0.4606.61. The new builds are based on Chromium version 94.0.4606.54.
The vulnerability has been assigned the ID “CVE-2021-37973” and the flaw was discovered by a Google Security engineer Clément Lecigne with assistance from Sergei Glazunov and Mark Brand, among others.
Google states it found the UAF vulnerability in its Portals feature and according to CERT, “a remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system”.
Use-After-Free is a security flaw that occurs when a program or application fails to properly manage the memory pointer after a dynamic memory portion has been freed, which in turn can lead to code execution by an attacker.
A pointer stores data related to a certain address of the memory that is being used by the application. But dynamic memory is constantly flushed and reallocated for use by different apps. However, if that pointer is not set to null once its corresponding memory space has been freed or unallocated, attackers can successfully exploit that pointer data to gain access to that same memory portion to now pass arbitrary malicious code. This is why the vulnerability is named Use-After-Free.
It has been assured however that both Edge 94.0.992.31 and Chrome 94.0.4606.61 have patched this critical memory-based security flaw and it is probably recommended that users update their browsers to these versions.