New massive security update for 3.2 billion Google Chrome users

April 29 update below. This article was originally published on April 27

It’s been an incredibly busy past few weeks in the world of Google Chrome security, and the pace doesn’t seem to be slowing down. On the heels of two emergency patches for exploits in the wild and the confirmation of a record number of Chromium zero-days in 2021, comes another truly massive security update for billions of Chrome users. . How massive would that be? Well, the recently confirmed stable channel update for desktop that brings Google Chrome to version 101.0.4951.41 for Windows, Mac, and Linux users fixes no less than 30 security vulnerabilities.

MORE FORBESEmergency Security Update for 3.2 Billion Google Chrome Users – Ongoing Attacks

No Google Chrome zero day is a reason for user update complacency

Luckily, for now at least, none of them are zero-day where attackers are known to already exploit vulnerabilities. However, that doesn’t mean user complacency should be the order of the day. As always, I recommend rolling out Chrome Security Update 101 as soon as possible rather than waiting for it to roll out to you in the days and weeks to come. And, most importantly, make sure it’s properly enabled, whether you update now or choose to wait.

Update April 29: Since Chrome isn’t the only web browser client to use the Chromium engine under the hood, users of these browsers should also be on the lookout for security updates. I can confirm that at the time of writing my copies of Brave and Microsoft Edge have been updated to include the latest Chromium version 101.0.4951.41 as you can see in the screenshots below. It’s equally important that you make sure these browsers have been updated to apply the necessary security patches, which means restarting them as you would Google Chrome itself.

As for Brave users, you need to head to the three stripe “burger” menu and select the “About Brave” option. Again, this will then force the browser to immediately check if an update is available and download it if indeed it is. At the risk of sounding like a broken record, remember to restart the browser to make sure the fix has been applied and is keeping you safe.

To check the version number and start the Microsoft Edge update process, go to the “three dots” menu at the top right of the screen. From there, select “Help & Feedback | About Microsoft Edge”. This will immediately check if an update is available and start downloading if so. You will then be prompted to restart the browser. So make sure you have closed all open tabs and saved all the information you need.

Unfortunately, neither Opera nor Vivaldi had been updated at the time of writing, so please keep checking them out if you use them. For Opera, you need to head to the top left and the Opera icon. The menu option you want is Help | About Opera, no surprise. Vivaldi users can select Help|Check for Updates from the “V” logo menu.

The US Cybersecurity and Infrastructure Security Agency (CISA) confirmed the importance of these security updates in an April 28 posting. CISA says it “encourages users and administrators to review Chrome’s release notes and apply any necessary patches” because an attacker could otherwise exploit vulnerabilities to take control of an affected system.

$80,000 in Chrome vulnerabilities patched

Of the 30 vulnerabilities, seven are categorized as high risk while 14 are rated medium for Common Vulnerabilities and Exposures (CVE). In total, more than $80,000 has been confirmed through Google bounty payments to researchers who uncovered these security issues.

While the full technical details of the vulnerabilities fixed have yet to be released, we do know that they include the following 25 specific vulnerabilities, with the remaining five falling under “various fixes from internal audits, fuzzing and other initiatives”.

MORE FORBESGoogle Chrome users urged to update as another urgent security patch is released

High level vulnerabilities:

  • CVE-2022-1477: use after release in Vulkan.
  • CVE-2022-1478: use after release in SwiftShader.
  • CVE-2022-1479: Use after free in ANGLE.
  • CVE-2022-1480: Use after release in device API.
  • CVE-2022-1481: use after free in sharing.
  • CVE-2022-1482: Inappropriate implementation in WebGL.
  • CVE-2022-1483: buffer overflow in WebGPU.

Medium level vulnerabilities:

  • CVE-2022-1484: Buffer overflow in web UI settings.
  • CVE-2022-1485: post-free usage in filesystem API.
  • CVE-2022-1486: Type confusion in V8.
  • CVE-2022-1487: Use after release in Ozone.
  • CVE-2022-1488: Inappropriate implementation in Extensions API.
  • CVE-2022-1489: Memory access out of bounds in UI shelf.
  • CVE-2022-1490: use after release in browser switcher.
  • CVE-2022-1491: use after release in bookmarks.
  • CVE-2022-1492: Insufficient data validation in Blink Editing.
  • CVE-2022-1493: use after free in developer tools.
  • CVE-2022-1494: insufficient data validation in trusted types.
  • CVE-2022-1495: Incorrect security UI in downloads.
  • CVE-2022-1496: use after free in file manager.
  • CVE-2022-1497: Inappropriate implementation in Input.

Low rated vulnerabilities:

  • CVE-2022-1498: Improper implementation in HTML Parser.
  • CVE-2022-1499: Improper implementation in WebAuthentication.
  • CVE-2022-1500: insufficient data validation in developer tools.
  • CVE-2022-1501: Inappropriate implementation in iframe.

How to Apply Google Chrome’s Massive Security Patch Right Now

Head to Help | About your Google Chrome menu, and if the update is available, the download will start automatically.

Remember to restart your browser after installing the update, otherwise it will not activate and you will still be vulnerable to attacks. This last point is the same if you get the automatic update without starting the process – it won’t activate until your browser restarts. Given how many people keep a browser with a million tabs open all the time, I can’t stress enough how important this is.

Leave a Reply

Your email address will not be published.