Google has now released three emergency out-of-band security updates for the Chrome browser in as many weeks. Additionally, this one, like the first, fixes a high-severity zero-day vulnerability that is already being exploited by attackers.
Three emergency Google Chrome security updates in three weeks
Google has released another emergency security update for all 3.2 billion Chrome web browser users. The third such update, which reveals a single high-severity vulnerability, is due to be released in three weeks. This, like the first of this worrying triumvirate of threats, is a zero-day vulnerability: one that Google has confirmed is already being exploited by attackers.
How serious is CVE-2022-1364?
The security update process will have already started and the patch should be available in the coming days and weeks. This emergency update brings Chrome to version 100.0.4896.127, on Windows, Mac, and Linux platforms. Users of browsers such as Microsoft Edge, Brave, Vivaldi and Opera are advised to pay attention to probable updates for those which will be available shortly.
Curiously, Google’s update announcement says it includes two security patches, but actually only lists CVE-2022-1364 as disclosed by Clément Lecigne who works with the Google Threat Analysis Group. The severity of this vulnerability is further evidenced by the fact that it was reported to Google on April 13 and the security update was released the following day. It’s a very welcome turnaround, but equally unusual and fast.
I contacted Google for a statement.
Google’s vulnerability disclosure system works as expected
As I said before, this does not equate to poor Google security, quite the contrary. The maturity of Google Chrome’s security program is evidenced by the discovery and patching of these vulnerabilities. This is proof that the vulnerability disclosure system works and works well. Of course, it would be better if there weren’t such severe vulnerabilities in the code to begin with, but the truth is that we don’t live in an ideal world where mistakes aren’t made.
How to Apply Google Chrome Security Patch
Chrome should update automatically as the fix becomes available. However, it is advisable to start the update process as soon as possible since attacks are in progress.
Head to Help | About your Google Chrome menu. If your version of Chrome is not showing as 100.0.4896.127, it will be vulnerable to the known exploit. However, the update should start downloading automatically. It may take a few days for the update to reach everyone, so be patient if you don’t see it yet.
Also, remember to restart your browser after installing the update, otherwise it will not activate and you will still be vulnerable to attacks.