May 11 update: This article was originally published on May 10
I spoke too soon when I reported yesterday that Google had confirmed a relatively rare update just for Android users of the Chrome browser. Windows, Linux, and Mac users can’t breathe easily and should now check that their Chrome browsers are updated as soon as possible. Why this change? Because Google has now confirmed that billions of users of the most popular web browser on the planet are affected by the latest security vulnerabilities.
In a May 10 announcement by Prudhvikumar Bommana of the Google Chrome team, it was confirmed that the same nine vulnerabilities that caused the Android Security update warning also applied to desktop browser on all platforms. In fact, there are 13 security patches in all, as I originally reported, but only nine have received CVE numbers. It’s unclear at this time why there was a delay between confirming the two updates, but I’ll try to find out and report back. While none of the disclosed vulnerabilities are of the zero-day variety this time around, meaning there’s no evidence that attackers are already exploiting them, that’s no reason to rest on his laurels. So please update your Chrome browser as soon as you can.
In the case of the desktop browser, this means heading to Help| About option in your Google Chrome menu. The update download will start automatically if available. the full details can be found here but the most important thing to remember is to restart the browser or the update will not be activated. The updated version that includes security fixes in the desktop client is 101.0.4951.64.
Users of other Chromium-powered web browsers such as Brave and Edge should also be aware that security updates will likely follow in the coming days. I’ll update this article as soon as I can confirm these updates have rolled out, with instructions on what you should do. Of course, Chrome for Android users should also make sure the app is updated, as below.
May 12 update: This article was originally published on May 10
There were no actively exploited zero-day vulnerabilities affecting the open-source Chromium project that is at the heart of the Google Chrome browser. It is. of course, good news. Just like the fact that the Chrome security update is already rolling out for desktop and Android versions, and you should be able to force install it if your browser hasn’t been automatically updated yet. Instructions for doing this are included below.
There’s more good news, I’m happy to report: the Brave browser and Opera, which also rely on a Chromium foundation, can now be updated to protect against the heap of high-severity vulnerabilities. I use Brave as my primary browser of choice these days, not least because the privacy aspects it offers so well that it tends to make those important security updates available pretty soon after Google’s initial disclosure . Opera is also generally quite fast in this regard.
Which brings me to the not so good news for users of the world’s second most popular desktop browser, Microsoft Edge. As of this writing, and I checked hourly today, about 48 hours after the Google Chrome update was announced, Edge users are still unable to update the browser security. It’s not like Microsoft isn’t aware of the vulnerabilities, of course, and a quick check of the Microsoft Edge security update release notes confirms it. A post from May 10 reads: “Microsoft is aware of recent Chromium security fixes. We are actively working on releasing a security patch. »
I reached out to Microsoft to ask what the reasons are for this delay and, indeed, why Microsoft Edge users always seem to have to wait longer than Chrome, Brave, or Opera users to be protected against known vulnerabilities. The Microsoft press office assures me that they will look into this for me, so hopefully I can update you with a response in due course. In the meantime, however, I suggest you follow the detailed instructions below to keep an eye out (no pun intended) for the arrival of the security patch. As with all Chromium-based browsers, downloading and installing the update alone is not enough; you need to restart the browser before it can be launched and start protecting against potential danger.
I understand that Microsoft needs to ensure that any patches it applies are safe to use on a broad user base. Just look at the situation with the latest Tuesday patch rollout of security updates for Windows users to see evidence of what can go wrong. The last news May’s Patch Tuesday update caused authentication failures for several business users and an out-of-band update to the original update is expected soon. That said, what I don’t understand is why companies like Brave and Opera, albeit with smaller user bases and fewer business-critical users, can act with much more haste . Indeed, Chrome itself has a massively larger user base on both consumer and business profiles with around 3.2 billion total users. While all Chromium-based browsers are different in that they wrap all sorts of proprietary components around the core code, there has to be a better way to do it. Coordinated disclosure between vendors, with security updates scheduled for simultaneous release, would seem to be the ideal solution. I doubt that will happen, especially since the browser market is so competitive, but times measured in terms of days between security updates for the same vulnerabilities are never going to get my vote in terms of effectiveness pure security.
Go to help| About the option in your Google Chrome menu, and if the update is available, the download will start automatically. Restart to activate the update.
Go to Help & Feedback| About Microsoft Edge in the three-dot menu at the top right and if an update is available, it will force the process to start. Once downloaded and installed, as always, close all tabs and restart your browser.
Head to “About Brave” from the top right burger stack menu. This will automatically start the process of checking, downloading and installing updates. Restart the browser to activate it.
Instead of looking at the top right as with most browsers, Opera users should point to the Opera ‘O’ logo at the top left. Click on it and select Help| About Opera.
Windows, Linux, and Mac users of the Google Chrome browser can breathe easy for now. This last security warning is only for smartphone users for a change. In a Chrome update confirmation released on May 9, Google revealed no less than 13 security fixes. Of these, eight were assigned Common Vulnerabilities and Exposures (CVE) high severity ratings, with one receiving a medium score. The others, four in all, are wrapped in a “miscellaneous patch” from ongoing internal security work that has not been assigned CVE numbers.
$11,000 awarded to security researchers in bug bounty payments
Of those that received assessments, three high-severity Chrome for Android security vulnerabilities saw bug bounty payments totaling $11,000 made to security researchers who disclosed them. The medium-severity solitary vulnerability earned a bounty payout of $5,000. Four of the others are in line for monetary payment, but the amounts have yet to be confirmed by Google.
Update to Google Chrome v101.0.4951.61as as soon as you can
As usual, the advice from Forbes Straight Talking Cyber is to make sure your smartphone is updated as soon as possible so that vulnerability fixes can be applied. Google said the fix is rolling out and should be available on Google Play “over the next few days.” The updated version, according to Google’s announcement, is Chrome v101.0.4951.61 for Android. As of this writing, my Samsung Galaxy Note 10+ is still on the April 26th update of v101.0.4951.41 and therefore has not been patched yet.
How to check your Google Chrome for Android version number
The best advice is to let Google update your app as soon as it’s available. To set this up, access the three-dot menu in the Google Play app and head to Settings | Network PreferencesAuto-update apps.
To check your Chrome for Android version number, go to the three-dot menu in the Chrome app itself and select Help & Feedback, then in the three-dot menu there is Version Info.
To check Google Play for the latest version, open the app and click your profile icon in the top right. From here you want to manage apps and devices| Updates available.
These are the chrome security vulnerabilities that have been patched
The nine security vulnerabilities covered by this Chrome update are as follows, remember that Google restricts access to all details until a majority of users have had a chance to update their browser app.
High severity index:
- CVE-2022-1633: Use after free in Sharesheet.
- CVE-2022-1634: Use after free in browser UI.
- CVE-2022-1635: Use after release in permission prompts.
- CVE-2022-1636: Use after release in performance APIs.
- CVE-2022-1637: Inappropriate implementation in web content.
- CVE-2022-1638: Heap buffer overflow in V8 Internationalization.
- CVE-2022-1639 bred: use after release in ANGLE.
- CVE-2022-1640: Use after free in sharing.
Average severity index:
- CVE-2022-1641: Usage after free in web UI diagnostics.