Google Chrome—Crucial New Security Warning For 3.2 Billion Users
May 11 Update: This post was originally published on May 10
I spoke too soon when I reported yesterday that Google had confirmed a relatively rare update just for Android users of the Chrome browser. Windows, Linux, and Mac users can no longer breathe easy and instead should now also be checking that their Chrome browsers are updated as soon as possible. Why the change? Because Google has now confirmed that billions of users of the most popular web browser on the planet are affected by the latest security vulnerabilities.
In a May 10 announcement by Prudhvikumar Bommana from the Google Chrome team it was confirmed that the same nine vulnerabilities that prompted the Android security update warning actually also applied to the desktop browser across all platforms. Actually, there are 13 security fixes in all as I orginally reported, but only nine have been allocated CVE numbers. It is unclear at this time as to why there was a delay between the two updates being confirmed but I will try to find out and report back. While none of the disclosed vulnerabilities are of the zero-day variety this time, meaning that there is no evidence that attackers are already exploiting them, that is no reason for complacency. So, please update your Chrome browser as soon as you are able.
In the case of the desktop browser, this means heading for the Help|About option in your Google Chrome menu. The update will automatically start downloading if it is available to you. The full details can be found here but the most important thing to remember is to restart the browser or the update will not be activated. The updated version that includes the security fixes in the desktop client is 101.0.4951.64.
Users of other Chromium-powered web browsers such as Brave and Edge should also be alert to the fact that security updates will likely follow in the coming days. I will update this article as soon as I can confirm those updates have rolled out, with instructions on what you need to do. Of course, Chrome for Android users also still need to ensure that the app is updated, as below.
May 12 Update: This post was originally published on May 10
There were no actively-exploited zero-day vulnerabilities affecting the open source Chromium project that is at the core of the Google Chrome browser. This is. of course, good news. As is the fact that the Chrome security update is already rolling out for both desktop and Android versions, and you should be able to force the installation if your browser has not yet automatically updated. Instructions for doing this are included below.
There’s more good news, I’m glad to report: both the Brave browser and Opera, which also build upon a Chromium foundation, can now be updated to protect against the bunch of high-severity vulnerabilities. I use Brave as my primary browser of choice these days, not least because as well as the privacy aspects it delivers so well it tends to make these important security updates available in pretty short order after the initial Google disclosure. Opera is also usually quick enough off the mark in this regard as well.
Which brings me to the not so good news for users of the world’s second most popular desktop browser, Microsoft Edge. At the time of writing, and I’ve been checking on an hourly basis today, some 48 hours after the Google Chrome update was announced, Edge users still cannot update the security of their browser. It’s not as if Microsoft is unaware of the vulnerabilities, of course, and a quick check of the Microsoft Edge security updates release notes confirms this. A May 10 posting states: “Microsoft is aware of the recent Chromium security fixes. We are actively working on releasing a security fix.”
I have reached out to Microsoft to ask what the reasons are for this delay and, indeed, why Microsoft Edge users always seem to have to wait longer than Chrome, Brave or Opera users to be protected from known vulnerabilities. The Microsoft press office assures me they will look into this for me, so I hope to be able to update you with an answer in due course. In the meantime, however, I suggest you follow the instructions as detailed below in order to keep tabs (no pun intended) on the arrival of the security fix. As with all Chromium-based browsers, downloading and installing the update is not enough on its own; you must restart the browser before it can be initiated and start protecting you from potential danger.
I get that Microsoft needs to ensure that any fixes it applies are safe to use across a broad userbase. You only have to look at the situation with the latest Patch Tuesday rollout of security updates for Windows users to see evidence of what can go wrong. The latest May Patch Tuesday update has caused authentication failures for multiple business users and an out-of-band update to the original update is expected soon. That said, what I don’t get is why the likes of Brave and Opera, albeit with smaller userbases and fewer business-critical users, can act with much greater haste. Indeed, Chrome itself has a massively greater userbase across both consumer and business profiles with an estimated 3.2 billion users in total. While all Chromium-based browsers are different in that they wrap all sorts of proprietary components around the base code, there must be a better way of doing this. A coordinated disclosure between vendors, with security updates scheduled for simultaneous release, would seem to be the ideal solution. I doubt that will happen, not least as the browser market is such a competitive one, but delays measured in terms of days between security updates for the same vulnerabilities is never going to get my vote in pure-security effectiveness terms.
How to update the Google Chrome browser (Desktop)
Head for the Help|About option in your Google Chrome menu, and if the update is available, it will automatically start downloading. Restart to activate the update.
How to update the Microsoft Edge browser
Head to Help and feedback|About Microsoft Edge from the three dot menu top right and if an update is available this will force the process to start. Once downloaded and installed, as always, close all tabs and restart your browser.
How to update the Brave browser
Head to ‘About Brave’ from the burger stack menu top right. This will automatically start the update checking, download and installation process. Restart the browser to activate.
How to update the Opera browser
Instead of looking top right as with most browsers, Opera users need to head to the Opera ‘O’ logo top left. Click on this and select Help|About Opera.
Windows, Linux and Mac users of the Google Chrome browser can breathe easy for the moment. This latest security warning is directed solely at smartphone users for a change. In a Chrome update confirmation published 9 May, Google has revealed no less than 13 security fixes. Of these, eight have been assigned Common Vulnerabilities and Exposures (CVE) severity ratings of high, with one getting a medium scoring. The remainder, four in all, are wrapped up with a ‘various fixes’ from ongoing internal security work that have not been given CVE numbers.
$11,000 awarded to security researchers in bug bounty payments
Of those that have been assigned ratings, three high-severity Chrome for Android security vulnerabilities saw bug bounty payments totalling $11,000 made to the security researchers who disclosed them. The solitary medium-severity vulnerability earned a $5,000 bounty payment. Four of the others are in line for a monetary payment but the amounts have yet to be confirmed by Google.
Update to Google Chrome v101.0.4951.61as soon as you can
As usual, the Forbes Straight Talking Cyber advice is to ensure that your smartphone is updated as soon as possible so that the vulnerability patches can be applied. Google has stated that the fix is rolling out now and should become available on Google Play “over the next few days.” The updated version, according to the Google announcement, is Chrome v101.0.4951.61 for Android. At the time of writing, my Samsung Galaxy Note 10+ is still on the 26 April update of v101.0.4951.41 and so not yet patched.
How to check your Google Chrome for Android version number
The best advice is to let Google update your app as soon as it becomes available. To configure this, go to the three-dot menu in the Google Play app and head for Settings|Network preferencesAuto-update apps.
To check your Chrome for Android version number go to the three-dot menu in the Chrome app itself and select Help & Feedback then from the three-dot menu there Version Info.
To check Google Play for the latest version open the app and click on your profile icon top right. From here you want Manage apps and device|Updates available.
These are the Chrome security vulnerabilities that have been fixed
The nine security vulnerabilities covered by this Chrome update are as follows, remember that Google restricts access to the full details until such a time as a majority of users have had the chance to update their browser app.
High severity rating:
- CVE-2022-1633: Use after free in Sharesheet.
- CVE-2022-1634: Use after free in Browser UI.
- CVE-2022-1635: Use after free in Permission Prompts.
- CVE-2022-1636: Use after free in Performance APIs.
- CVE-2022-1637: Inappropriate implementation in Web Contents.
- CVE-2022-1638: Heap buffer overflow in V8 Internationalization.
- High CVE-2022-1639: Use after free in ANGLE.
- CVE-2022-1640: Use after free in Sharing.
Medium severity rating:
- CVE-2022-1641: Use after free in Web UI Diagnostics.