Update May 10: This post was originally posted on May 09
I spoke too soon when I reported yesterday that Google had confirmed a relatively rare update only for Android users of the Chrome browser. Windows, Linux and Mac users can no longer breathe easy and should now check that their Chrome browsers are updated as soon as possible. Why the change? Because Google has now confirmed that billions of users of the most popular web browser on the planet are affected by the latest security vulnerabilities.
In a May 10 announcement from Prudhvikumar Bommana of the Google Chrome team, it was confirmed that the same nine vulnerabilities that prompted the Android security update warning also applies to desktop browser on all platforms. In fact, there are 13 security patches in total, as I originally reported, but only nine have received CVE numbers. It’s currently unknown why there was a delay between confirming the two updates, but I’ll try to find out and report back. While none of the disclosed vulnerabilities this time around are zero-day, meaning there’s no evidence that attackers are already exploiting them, that’s no reason to be complacent. So please update your Chrome browser as soon as you can.
In the case of the desktop browser, this means heading to the Help | About your Google Chrome menu. The update will automatically start downloading if available. the full details can be found here but the most important thing to remember is to restart the browser or the update will not be activated. The updated version that includes security fixes in the desktop client is 101.0.4951.64.
Users of other Chromium-powered web browsers such as Brave and Edge should also be aware that security updates will likely follow in the coming days. I’ll update this article as soon as I can confirm these updates have rolled out, with instructions on what you should do. Of course, Chrome for Android users should also make sure the app is updated, as below.
Windows, Linux, and Mac users of the Google Chrome browser can breathe for now. This last security warning is only for smartphone users to change. In a Chrome update confirmation released on May 9, Google unveiled no less than 13 security patches. Of these, eight were assigned high severity ratings for common vulnerabilities and exposures (CVEs), with one receiving a medium rating. The others, four in all, are wrapped with a “miscellaneous patch” from ongoing internal security work that has not been assigned CVE numbers.
$11,000 awarded to security researchers in bug bounties
Of those who received ratings, three high-severity Chrome for Android security vulnerabilities saw bug bounty payments totaling $11,000 made to security researchers who disclosed them. The medium-severity solitary vulnerability earned a bounty of $5,000. Four of the others are awaiting monetary payment, but the amounts have not yet been confirmed by Google.
Update to Google Chrome v101.0.4951.61 as soon as you can
As usual, the Forbes Straight Talking Cyber advice is to ensure that your smartphone is updated as soon as possible so that vulnerability fixes can be applied. Google said the fix is rolling out and should be available on Google Play “in the coming days.” The updated version, according to Google’s announcement, is Chrome v101.0.4951.61 for Android. As of this writing, my Samsung Galaxy Note 10+ is still on the April 26th update of v101.0.4951.41 and therefore is not yet patched.
How to check your Google Chrome for Android version number
The best advice is to let Google update your app as soon as it’s available. To set this up, access the three-dot menu in the Google Play app and head to Settings | Network Preferences Auto-update apps.
To check your Chrome for Android version number, go to the three-dot menu in the Chrome app itself and select Help & Feedback, then from the three-dot menu, Version Info.
To check Google Play for the latest version, open the app and click your profile icon in the top right. From here you want to manage Apps and Device|Available Updates.
These are Chrome’s security vulnerabilities that have been patched
The nine security vulnerabilities covered by this Chrome update are as follows, remember that Google restricts access to all details until a majority of users have had a chance to update their browser app.
High severity level:
- CVE-2022-1633: use after release in Sharesheet.
- CVE-2022-1634: use after release in browser UI.
- CVE-2022-1635: use after release in authorization prompts.
- CVE-2022-1636: post-release usage in performance APIs.
- CVE-2022-1637: Inappropriate implementation in web content.
- CVE-2022-1638: Heap buffer overflow in V8 internationalization.
- CVE-2022-1639: use after free in ANGLE.
- CVE-2022-1640: use after free in sharing.
Average severity level:
- CVE-2022-1641: post-release usage in web UI diagnostics.