It’s time to update: the latest version of Google Chrome fixes 27 security flaws


Google has just released the stable version of Chrome 104 with fixes for 7 “high” severity flaws and 15 “medium” severity flaws. The new version is for Windows, Mac and Linux. 27 security bugs reported by third parties have been fixed.

None of these flaws are listed as being actively exploited, but the Chrome 104 patch notes do contain some notable, though not very well described, fixes for high-severity flaws that affect the “Omnibox” (access bar). address) from Chrome, Google’s Safe Browsing online protection, Chrome’s Dawn WebGPU implementation, and Google’s Nearby Share feature, similar to Apple’s AirDrop, for sharing files between Chromebook and Android devices.

There’s also an interesting medium-severity side-channel data leak issue affecting Chrome’s keyboard input, discovered by Erik Kraft and Martin Schwarzl of Graz University of Technology (Austria). They are not strangers. Graz TU researchers played a pivotal role in uncovering Meltdown and Specter CPU side channel attacks in 2018.

Use after free in shambles

Google also awarded $15,000 to an anonymous researcher for the Omnibox ‘use after free’ memory-related issue tracked as CVE-2022-2603.

Safe Browsing in Chrome was also affected by a high-severity “use after free” issue (CVE-2022-2604), and a medium-severity issue caused by insufficient validation of untrusted inputs (CVE-2022-2622 ). Safe Browsing is used by Chrome and other browsers to show users a warning before they visit a dangerous website or download a malicious application.

A high-severity issue was reported by Nan Wang and Guang Gong of Qihoo 360’s 360 Alpha Lab on June 10. They also reported a high severity issue also of “use after free” in Chrome’s Managed devices API (CVE-2022-2606) and a medium severity issue of identical nature in Chrome’s WebUI (CVE- 2022-2620).

The flaw in Chrome’s Nearby Share feature was also a “use after free” flaw (CVE-2022-2609).

Voluntary withholding of information

Bug details are intentionally sparse because Google restricts access to details “until a majority of users have updated with a fix.” It can also restrict access if the bug exists in a third-party library that other projects depend on, and which has not yet been fixed.

An important security-related change in Chrome 104 is the removal of the U2F API, Chrome’s original security key API, which has been replaced by the new Web Authentication (WebAuthn) API. WebAuthn became an official W3C standard in 2019, by which time it had already been implemented in all major browsers as well as Windows and Android.

websites will need to migrate to the WebAuthn API

U2F USB two-factor authentication security keys are supported by WebAuthn, so are not affected by the change, but websites will need to migrate to the WebAuthn API. This change should come as no surprise to web developers, as Google has been warning them for two years.

“U2F never became an open web standard and was subsumed by the Web Authentication API (launched in Chrome 67). Chrome never directly supported the FIDO U2F JavaScript API, but instead provided a component extension called cryptotoken… U2F and Cryptotoken are in maintenance mode and have been encouraging sites to migrate to the Web Authentication API for the past two years,” Google explains in a recent blog post.

Google has also released Chrome 104 to its new extended stable channel for Windows and Mac.


Source: “ZDNet.com”



Leave a Comment