Google Chrome—Crucial New Security Warning For 3.2 Billion Users

May 11 update : This post was originally published on May 10

I spoke excessively soon when I reported yesterday that Google had confirmed a relatively rare update merely for Android users of the Chrome browser. Windows, Linux, and Mac users can no longer breathe easy and rather should now besides be checking that their Chrome browsers are updated deoxyadenosine monophosphate soon as possible. Why the change ? Because Google has immediately confirmed that billions of users of the most popular web browser on the planet are affected by the latest security vulnerabilities.

In a May 10 announcement by Prudhvikumar Bommana from the Google Chrome team it was confirmed that the same nine vulnerabilities that prompted the Android security update warn actually besides applied to the background browser across all platforms. actually, there are 13 security fixes in all as I orginally reported, but only nine have been allocated CVE numbers. It is indecipherable at this fourth dimension as to why there was a delay between the two updates being confirmed but I will try to find out and report back. While none of the disclose vulnerabilities are of the zero-day variety this prison term, meaning that there is no testify that attackers are already exploiting them, that is no rationality for complacency. therefore, please update your Chrome browser angstrom soon as you are able .

In the subject of the desktop browser, this means heading for the Help|About choice in your Google Chrome menu. The update will automatically start downloading if it is available to you. The full moon details can be found here but the most crucial thing to remember is to restart the browser or the update will not be activated. The update version that includes the security fixes in the desktop customer is 101.0.4951.64 .

Users of other Chromium-powered web browsers such as Brave and Edge should besides be alarm to the fact that security updates will probably follow in the come days. I will update this article equally soon as I can confirm those updates have rolled out, with instructions on what you need to do. Of naturally, Chrome for Android users besides still need to ensure that the app is updated, as below .
May 12 update : This post was primitively published on May 10
There were no actively-exploited zero-day vulnerabilities affecting the capable generator Chromium project that is at the core of the Google Chrome browser. This is. of course, estimable news. As is the fact that the Chrome security update is already rolling out for both desktop and Android versions, and you should be able to force the facility if your browser has not even automatically updated. Instructions for doing this are included below .
There ‘s more full news program, I ‘m beaming to report : both the Brave browser and Opera, which besides build upon a Chromium foundation, can now be updated to protect against the bunch of high-severity vulnerabilities. I use Brave as my primary browser of choice these days, not least because deoxyadenosine monophosphate well as the privacy aspects it delivers so well it tends to make these crucial security updates available in pretty short order after the initial Google disclosure. opera is besides normally promptly enough off the mark in this regard as well .

Which brings me to the not therefore beneficial news for users of the world ‘s moment most popular desktop browser, Microsoft Edge. At the clock of publish, and I ‘ve been checking on an hourly footing today, some 48 hours after the Google Chrome update was announced, Edge users still can not update the security of their browser. It ‘s not as if Microsoft is unaware of the vulnerabilities, of naturally, and a agile check of the Microsoft Edge security updates release notes confirms this. A May 10 posting states : “ Microsoft is mindful of the late Chromium security fixes. We are actively working on releasing a security repair. ”
I have reached out to Microsoft to ask what the reasons are for this delay and, indeed, why Microsoft Edge users constantly seem to have to wait longer than Chrome, Brave or Opera users to be protected from known vulnerabilities. The Microsoft press function assures me they will look into this for me, so I hope to be able to update you with an answer in due class. In the meanwhile, however, I suggest you follow the instructions as detail below in arrange to keep pill ( no pun intended ) on the arrival of the security sterilize. As with all Chromium-based browsers, downloading and installing the update is not enough on its own ; you must restart the browser before it can be initiated and start protecting you from electric potential danger .
I get that Microsoft needs to ensure that any fixes it applies are safe to use across a broad userbase. You only have to look at the situation with the latest bandage Tuesday rollout of security updates for Windows users to see tell of what can go wrong. The latest May Patch Tuesday update has caused authentication failures for multiple commercial enterprise users and an out-of-band update to the original update is expected soon. That said, what I do n’t get is why the likes of Brave and Opera, albeit with smaller userbases and fewer business-critical users, can act with much greater haste. indeed, Chrome itself has a massively greater userbase across both consumer and occupation profiles with an estimated 3.2 billion users in entire. While all Chromium-based browsers are different in that they wrap all sorts of proprietorship components around the base code, there must be a better room of doing this. A align disclosure between vendors, with security updates scheduled for coincident handout, would seem to be the ideal solution. I doubt that will happen, not least as the browser marketplace is such a competitive one, but delays measured in terms of days between security updates for the same vulnerabilities is never going to get my vote in pure-security effectiveness terms .

How to update the Google Chrome browser (Desktop)

head for the Help|About option in your Google Chrome menu, and if the update is available, it will automatically start downloading. Restart to activate the update .

How to update the Microsoft Edge browser

heading to Help and feedback|About Microsoft Edge from the three acid menu top correct and if an update is available this will force the process to start. once download and install, as always, airless all tab and restart your browser .

How to update the Brave browser

head to ‘About Brave ‘ from the hamburger push-down storage menu top veracious. This will automatically start the update check, download and facility action. Restart the browser to activate .

How to update the Opera browser

alternatively of looking top correct as with most browsers, Opera users need to head to the Opera ‘O ‘ logo acme left. Click on this and select Help|About Opera .

Windows, Linux and Mac users of the Google Chrome browser can breathe slowly for the moment. This latest security warn is directed entirely at smartphone users for a change. In a Chrome update confirmation published 9 May, Google has revealed nobelium less than 13 security fixes. Of these, eight have been assigned Common Vulnerabilities and Exposures ( CVE ) asperity ratings of high, with one getting a medium score. The remainder, four in all, are wrapped up with a ‘various fixes ‘ from ongoing inner security work that have not been given CVE numbers .

$11,000 awarded to security researchers in bug bounty payments

Of those that have been assigned ratings, three high-severity Chrome for Android security vulnerabilities saw bug bounty payments totalling $ 11,000 made to the security researchers who disclosed them. The alone medium-severity vulnerability earned a $ 5,000 bounty payment. Four of the others are in production line for a monetary payment but the amounts have so far to be confirmed by Google .

Update to Google Chrome v101.0.4951.61as soon as you can

As common, the Forbes Straight Talking Cyber advice is to ensure that your smartphone is updated equally soon as possible so that the vulnerability patches can be applied. Google has stated that the localization is rolling out now and should become available on Google Play “ over the following few days. ” The update adaptation, according to the Google announcement, is Chrome v101.0.4951.61 for Android. At the time of write, my Samsung Galaxy Note 10+ is still on the 26 April update of v101.0.4951.41 and thus not so far patched .

Look out for a .61 version of the Chrome app

Davey Winder

How to check your Google Chrome for Android version number

The best advice is to let Google update your app american samoa soon as it becomes available. To configure this, go to the three-dot menu in the Google Play app and head for Settings|Network preferencesAuto-update apps .
To check your Chrome for Android version number go to the three-dot menu in the Chrome app itself and select Help & Feedback then from the three-dot menu there Version Info .
To check Google Play for the latest interpretation open the app and snap on your profile icon top proper. From here you want manage apps and device|Updates available .

head for the available updates to see if the new Chrome adaptation is ready

Davey Winder

These are the Chrome security vulnerabilities that have been fixed

The nine security vulnerabilities covered by this Chrome update are as follows, remember that Google restricts access to the entire details until such a time as a majority of users have had the find to update their browser app .
high austereness rat :

  • CVE-2022-1633: Use after free in Sharesheet.
  • CVE-2022-1634: Use after free in Browser UI.
  • CVE-2022-1635: Use after free in Permission Prompts.
  • CVE-2022-1636: Use after free in Performance APIs.
  • CVE-2022-1637: Inappropriate implementation in Web Contents.
  • CVE-2022-1638: Heap buffer overflow in V8 Internationalization.
  • High CVE-2022-1639: Use after free in ANGLE.
  • CVE-2022-1640: Use after free in Sharing.

Medium asperity rate :

  • CVE-2022-1641: Use after free in Web UI Diagnostics.

Leave a Reply

Your email address will not be published.