May 11 Update: This post was originally published on May 10
I spoke too soon when I reported yesterday that Google had confirmed a relatively rare update only for Android users of the Chrome browser. Windows, Linux and Mac users can no longer breathe easy and instead should now also check to see if their Chrome browsers are updated as soon as possible. Why the change? Because Google has now confirmed that billions of users of the world’s most popular web browser are affected by the latest security vulnerabilities.
A May 10 announcement by Prudhvikumar Bommana of the Google Chrome team confirmed that the same nine vulnerabilities affecting the Android security update warning actually applies to desktop browser on all platforms as well† Actually, there are a total of 13 security solutions, as I originally reported, but only nine CVE numbers have been assigned. It’s unclear at this point why there was a delay between the two updates that were confirmed, but I’ll try to find out and report back. While none of the vulnerabilities disclosed this time around are of the zero-day variety, meaning there’s no evidence that attackers are exploiting them yet, that’s no cause for complacency. Therefore, update your Chrome browser as soon as possible.
In the case of the desktop browser, this means going to the Help|About option in your Google Chrome menu. The update will be downloaded automatically if it is available to you. The full details can be found here but the most important thing to remember is to restart the browser otherwise the update will not activate. The updated version that includes the security fixes in the desktop client is 101.0.4951.64.
Users of other Chromium-powered web browsers such as Brave and Edge should also be alert to the fact that security updates are likely to follow in the coming days. I’ll update this article as soon as I can confirm those updates have been rolled out, with instructions on what to do. Of course, Chrome for Android users should also make sure that the app is updated as below.
Update May 12: This post was originally published on May 10
There were no actively exploited zero-day vulnerabilities affecting the open source Chromium project at the heart of the Google Chrome browser. This is. good news of course. As is the fact that the Chrome security update is already rolling out for both desktop and Android versions, and you should be able to force the installation if your browser hasn’t already updated automatically. Below are instructions on how to do this.
There’s more good news, I’m happy to report: both the Brave browser and Opera, which also build on a Chromium foundation, can now be updated to protect against the series of very serious vulnerabilities. I use Brave as my browser of choice these days, not least because, in addition to the privacy aspects it offers so well, it tends to release these important security updates fairly soon after the initial Google reveal. Opera is usually fast enough in this regard as well.
Which brings me to the less good news for users of the world’s second most popular desktop browser, Microsoft Edge. At the time of writing, and I checked every hour today, about 48 hours after the Google Chrome update was announced, Edge users are still unable to update their browser’s security. It is of course not the case that Microsoft is not aware of the vulnerabilities, and a quick check of the Release Notes on Microsoft Edge Security Updates confirms this. A May 10 post reads: “Microsoft is aware of the recent security fixes for Chromium. We are actively working to release a security fix.”
I’ve reached out to Microsoft to inquire about the reasons for this slowdown and, indeed, why Microsoft Edge users always seem to have to wait longer than Chrome, Brave, or Opera users to be protected from known vulnerabilities. Microsoft’s press office assures me that they will look into this for me, so I hope to update you with an answer in due course. In the meantime, however, I recommend that you follow the instructions below to keep an eye out for the security fix’s arrival (no pun intended). As with all Chromium-based browsers, downloading and installing the update alone isn’t enough; you must restart the browser before it can start and protect you from potential danger.
I understand that Microsoft needs to ensure that any fixes it applies are safe to use for a broad user base. You just need to look at the situation with the latest Patch Tuesday rollout of security updates for Windows users to see evidence of what can go wrong. The last May Patch Tuesday update caused authentication errors for multiple business users and an out-of-band update of the original update is expected soon† That said, I don’t understand why Brave and Opera, albeit with smaller user bases and fewer mission-critical users, can act with much more rush. Indeed, Chrome itself has a vastly larger user base for both consumer and business profiles with an estimated total of 3.2 billion users. While all Chromium-based browsers are different in that they wrap all sorts of proprietary components around the base code, there must be a better way to do it. Coordinated disclosure between vendors, with security updates planned for simultaneous release, seems like the ideal solution. I doubt that will happen, not least because the browser market is so competitive, but delays measured in days between security updates for the same vulnerabilities will never get my vote in terms of sheer security effectiveness.
Update the Google Chrome browser (desktop)
Go to the Help|About option in your Google Chrome menu and if the update is available, it will be downloaded automatically. Restart to activate the update.
How to update the Microsoft Edge browser
Go to Help & Feedback|About Microsoft Edge in the three-dot menu at the top right and if an update is available, it will force the process to start. Once downloaded and installed, as always, close all tabs and restart your browser.
How to update the Brave browser
Go to “About Brave” in the hamburger stack menu at the top right. This will automatically start the update checking, download and installation process. Restart the browser to activate.
How to update the Opera browser
Instead of looking at the top right, as with most browsers, Opera users should go to the Opera ‘O’ logo at the top left. Click on it and select Help|About Opera.
Windows, Linux and Mac users of the Google Chrome browser can rest easy for now. This latest security warning is aimed solely at smartphone users for a change. In a Chrome update confirmation published on May 9, Google has unveiled a whopping 13 security solutions. Of these, eight have been assigned Common vulnerabilities and exposures (CVE) severity ratings of high, with one given an average score. The rest, four in all, are packed with “various fixes” from ongoing internal security work that have not been assigned CVE numbers.
$11,000 awarded to security researchers in bug bounty payments
Of those who received reviews, three very serious Chrome for Android security vulnerabilities saw bug bounty payments totaling $11,000 to the security researchers who disclosed them. The lone vulnerability of medium severity earned a $5,000 bounty. Four of the others are in line for a cash payment, but the amounts are yet to be confirmed by Google.
Please update to Google Chrome v101.0.4951.61 ASAP
As usual, the Forbes Straight Talking Cyber advice is to ensure that your smartphone is updated as soon as possible so that the vulnerability patches can be applied. Google has stated that the fix is now rolling out and should be available on Google Play “in the coming days”. The updated version, according to Google’s announcement, is Chrome v101.0.4951.61 for Android. At the time of writing, my Samsung Galaxy Note 10+ is still on the April 26 update of v101.0.4951.41 and therefore not patched yet.
How To Check Your Google Chrome For Android Version Number
The best advice is to let Google update your app as soon as it’s available. To configure this, go to the three-dot menu in the Google Play app and go to Settings|Network Preferences Update apps automatically.
To check your Chrome for Android version number, go to the three-dot menu in the Chrome app itself and select Help & Feedback, then from the three-dot menu there Version Info.
To check Google Play for the latest version, open the app and click on your profile icon at the top right. From here you want to manage Apps and device|Updates available.
These are the security vulnerabilities in Chrome that have been fixed
The nine security vulnerabilities covered by this Chrome update are as follows, remember that Google will restrict access to the full details until a majority of users have had a chance to update their browser app.
High Severity Rating:
- CVE-2022-1633: Then use for free in Sharesheet.
- CVE-2022-1634: Then use for free in the browser UI.
- CVE-2022-1635: Then use for free in permission prompts.
- CVE-2022-1636: Then use for free in Performance APIs.
- CVE-2022-1637: Inappropriate implementation in web content.
- CVE-2022-1638: Heap buffer overflow in V8 Internationalization.
- High CVE-2022-1639: Then use for free in ANGLE.
- CVE-2022-1640: Then use for free in Sharing.
Average Severity Rating:
- CVE-2022-1641: Use After Free in Web UI Diagnostics.