Google Chrome Vulnerability

OVERVIEW

Multiple vulnerabilities have been discovered in the Google Chrome web browser, the most severe of which could allow for arbitrary code execution (an attacker’s ability to run any commands or code of the attacker’s choice on a target machine or in a target process). Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data.

VERSIONS AFFECTED:

Google Chrome versions prior to 94.0.4606.81
To find what version of Google Chrome you have click the primary “Menu” button (the three vertical dots in the upper-right corner of the window), then click Help > About Google Chrome.

STAFF ACTIONS & RECOMMENDATIONS:

On your BYOD:

• Ensure your Google Chrome version is 94.0.4606.81 or newer. If you have a newer version than this, you are secure, and no further action is required.
• Follow the instructions outlined by Google here to update your Google Chrome browser.

On School Managed Devices:

• No action is required by staff, the Joseph Banks Secondary College IT Support Team is managing the update of Google Chrome remotely.

STUDENT & PARENT ACTIONS & RECOMMENDATIONS:

On your BYOD:

• Ensure your Google Chrome version is 94.0.4606.81 or newer. If you have a newer version than this, you are secure, and no further action is required.
• Follow the instructions outlined by Google here to update your Google Chrome browser.
• The Joseph Banks Secondary College IT Support Team will be deploying the latest version of Google Chrome through Jamf School (ZuluDesk) once the update has been made available to the Australian Apple App Store. This update will deploy automatically to iPads that are managed by Jamf School (ZuluDesk) and no further action is required by students or parents.

On School Managed Devices:

• No action is required by students, the Joseph Banks Secondary College IT Support Team is managing the update of Google Chrome remotely.

TECHNICAL INFORMATION:

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

• A Use after free in Garbage Collection. (CVE-2021-37977)
• A Heap buffer overflow in Blink. (CVE-2021-37978)
• A Heap buffer overflow in WebRTC. (CVE-2021-37979)
• An inappropriate implementation in Sandbox. (CVE-2021-37980)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

CONCLUSION:

If you have any concerns or questions relating to this vulnerability or updating your Google Chrome browser, please contact the Joseph Banks IT Support Team on 08 9303 7452 or email josephbanks.sc.itsupport@education.wa.edu.au.

Kind Regards,

Shaun Barnett
Network and eLearning Coordinator
Joseph Banks Secondary College