May 11 Update: This post was originally published on May 10
I spoke too soon when I reported yesterday that Google had confirmed a relatively rare update only for Android users of the Chrome browser. Windows, Linux and Mac users can no longer breathe easy and instead should now also check to see if their Chrome browsers are updated as soon as possible. Why the change? Because Google has now confirmed that billions of users of the world’s most popular web browser are affected by the latest security vulnerabilities.
A May 10 announcement by Prudhvikumar Bommana of the Google Chrome team confirmed that the same nine vulnerabilities affecting the Android security update warning actually applies to desktop browser on all platforms as well† Actually, there are a total of 13 security solutions, as I originally reported, but only nine CVE numbers have been assigned. It’s unclear at this point why there was a delay between the two updates that were confirmed, but I’ll try to find out and report back. While none of the vulnerabilities disclosed this time around are of the zero-day variety, meaning there’s no evidence that attackers are exploiting them yet, that’s no cause for complacency. Therefore, update your Chrome browser as soon as possible.
In the case of the desktop browser, this means going to the Help|About option in your Google Chrome menu. The update will be downloaded automatically if it is available to you. The full details can be found here but the most important thing to remember is to restart the browser otherwise the update will not activate. The updated version that includes the security fixes in the desktop client is 101.0.4951.64.
Users of other Chromium-powered web browsers such as Brave and Edge should also be alert to the fact that security updates are likely to follow in the coming days. I’ll update this article as soon as I can confirm those updates have been rolled out, with instructions on what to do. Of course, Chrome for Android users should also make sure that the app is updated as below.
Windows, Linux and Mac users of the Google Chrome browser can rest easy for now. This latest security warning is aimed solely at smartphone users for a change. In a Chrome update confirmation published on May 9, Google has unveiled a whopping 13 security solutions. Of these, eight have been assigned Common vulnerabilities and exposures (CVE) severity ratings of high, with one given an average score. The rest, four in all, are packed with “various fixes” from ongoing internal security work that have not been assigned CVE numbers.
$11,000 awarded to security researchers in bug bounty payments
Of those who received reviews, three very serious Chrome for Android security vulnerabilities saw bug bounty payments totaling $11,000 to the security researchers who disclosed them. The lone vulnerability of medium severity earned a $5,000 bounty. Four of the others are in line for a cash payment, but the amounts are yet to be confirmed by Google.
Please update to Google Chrome v101.0.4951.61 ASAP
As usual, the Forbes Straight Talking Cyber advice is to ensure that your smartphone is updated as soon as possible so that the vulnerability patches can be applied. Google has stated that the fix is now rolling out and should be available on Google Play “in the coming days”. The updated version, according to Google’s announcement, is Chrome v101.0.4951.61 for Android. At the time of writing, my Samsung Galaxy Note 10+ is still on the April 26 update of v101.0.4951.41 and therefore not patched yet.
How To Check Your Google Chrome For Android Version Number
The best advice is to let Google update your app as soon as it’s available. To configure this, go to the three-dot menu in the Google Play app and go to Settings|Network Preferences Update apps automatically.
To check your Chrome for Android version number, go to the three-dot menu in the Chrome app itself and select Help & Feedback, then from the three-dot menu there Version Info.
To check Google Play for the latest version, open the app and click on your profile icon at the top right. From here you want to manage Apps and device|Updates available.
These are the security vulnerabilities in Chrome that have been fixed
The nine security vulnerabilities covered by this Chrome update are as follows, remember that Google will restrict access to the full details until a majority of users have had a chance to update their browser app.
High Severity Rating:
- CVE-2022-1633: Then use for free in Sharesheet.
- CVE-2022-1634: Then use for free in the browser UI.
- CVE-2022-1635: Then use for free in permission prompts.
- CVE-2022-1636: Then use for free in Performance APIs.
- CVE-2022-1637: Inappropriate implementation in web content.
- CVE-2022-1638: Heap buffer overflow in V8 Internationalization.
- High CVE-2022-1639: Then use for free in ANGLE.
- CVE-2022-1640: Then use for free in Sharing.
Average Severity Rating:
- CVE-2022-1641: Use After Free in Web UI Diagnostics.