Yesterday’s report by Google that a rare update had been confirmed for Chrome browser users on Android was too early. Windows, Linux, Mac, and Linux users cannot breathe easier. Instead, they should ensure that their Chrome browsers remain up-to-date as soon as possible. What’s the reason for this change? Google now confirms that the security flaws have affected billions of web browser users around the world.
Prudhvikumar Bombmana, a member of the Google Chrome team, announced on May 10 that the same nine vulnerabilities which prompted the Android security updates warning were also applicable to the desktop browser across all platforms. As I originally reported, there were 13 security fixes, but only nine CVE numbers have been assigned. Although it is not clear why the updates took so long to be confirmed, I will investigate and report back. Although none of the vulnerabilities disclosed are of the zero-day type, there is no evidence attackers have already exploited them. This is not a reason to be complacent. Please update Chrome as soon as possible.
About option in your Google Chrome menu. If the update is available, it will start downloading automatically. You can find the full details here. However, the most important thing is to restart your browser to activate the update. 101.0.4951.64 is the updated version. This includes security fixes for the desktop client.
Other Chromium-powered web browsers like Brave or Edge should be aware that security updates are likely to follow within the next few days. As soon as I receive confirmation that the updates have been rolled out, I will update this article with details on what to do. Chrome for Android users still need to make sure that the app is up-to-date, as shown below.
May 12th Update: This post was originally published May 10
The open-source Chromium project, which is the heart of Google Chrome, was not vulnerable to any zero-day exploits. This is. This is, of course. The Chrome security update for Android and desktop versions is already available. You should be able force the installation of the Chrome security updates if your browser is not automatically updating. Below are instructions on how to do this.
The good news is that both Opera and Brave, which are built upon the Chromium foundation, can be updated to guard against a variety of high-severity security vulnerabilities. Brave is my preferred browser, because it provides excellent privacy features and makes security updates readily available. Opera is often quick enough to respond in this respect.
This brings me to the bad news for Microsoft Edge users, the second most used desktop browser in the world. As of the time of writing, Edge users are still unable to update their browser’s security 48 hours after Google Chrome was updated. Microsoft knows about the vulnerabilities and quick checks of the Microsoft Edge security update release notes confirm this. According to a May 10 post, Microsoft acknowledged the Chromium security updates. We are working to release a security fix.
I reached out to Microsoft to find out the reason for this delay. And why Microsoft Edge users seem to have to wait longer to be protected against known vulnerabilities than Chrome, Brave, or Opera users. Microsoft assured me that they would investigate this and I will be able update you in due course. To keep track of the security update’s arrival, I recommend that you read the following instructions. Like all Chromium-based browsers you need to restart your browser in order for the update to be activated and protect you from any potential danger.
Microsoft must ensure that all fixes that it applies are safe for users across the board. To see the dangers of Windows security updates, you only need to look at what happened with the Patch Tuesday rollout. Multiple business users experienced authentication problems with the latest Patch Tuesday update. An out-of-band upgrade to the original update will be available soon. However, I am unable to understand why Opera and Brave, which have smaller userbases but more business-critical users than Opera, can move with greater speed. Chrome has an enormous user base, with an estimated 3.2 million users. Although all Chromium-based browsers wrap proprietary components around the basecode, they are all different. There must be a better method. The ideal solution would be a coordinated disclosure among vendors with simultaneous releases of security updates. It is unlikely that this will occur, due to the competitive nature of the browser market. However, delays in security updates for the same vulnerabilities measured in days is not going to win my vote in terms pure-security effectiveness.
How to update Google Chrome browser (Desktop).
About option in your Google Chrome menu, and if the update is available, it will automatically start downloading. Restart the browser to activate the update.
How to update Microsoft Edge
About Microsoft Edge from the three dot menu top right and if an update is available this will force the process to start. After downloading and installing, close all tabs, and restart your browser.
How to update Brave’s browser
From the hamburger stack menu, click on “About Brave”. This will initiate the update downloading and checking process. To activate, restart your browser.
How to update Opera browser
Opera users should look to the Opera O logo at the top left, instead of looking to the top right like most browsers. About Opera.
For the moment, users of Google Chrome browser on Macs, Windows and Linux can rest easy. The latest security alert is only for smartphone users. Google published 13 security fixes in a Chrome Update confirmation on 9 May. Eight of these have received Common Vulnerabilities & Exposures (CVE-) severity ratings of high. One has been given a medium score. Four of the remaining CVEs, which are four, have been wrapped with a various fix’ that has been developed from ongoing internal security efforts.
$11,000 given to security researchers as bug bounty payments
Three high-severity Chrome security vulnerabilities for Android were given ratings. Bug bounty payments totaling $11,000 were made to security researchers who reported them. A $5,000 bounty was paid to the medium-severity vulnerability. Google has yet to confirm the amount of the monetary payments, but four others are eligible for the payment.
Google Chrome v101.0.4951.61 should be updated as soon as possible
Forbes Straight Talking Cyber advises that you update your smartphone as soon as possible to apply the vulnerability patches. Google stated that the fix is in progress and will be available on Google Play in the coming days. According to Google’s announcement, the updated version is Chrome v101.0.4951.61 Android. My Samsung Galaxy Note 10+, at the time of writing is still running the 26 April update to v101.0.4951.41 for Android. This has not been patched yet.
How to verify your Google Chrome version for Android
It is best to allow Google to update your app as soon it becomes available. To configure this, go to the three-dot menu in the Google Play app and head for Settings|Network preferencesAuto-update apps.
Check your Chrome for Android version by going to the three dots menu in Chrome. Select Help & Feedback and then go to Version Info.
Open Google Play and click on the profile icon at the top. Updates available.
These are the Chrome security flaws that were fixed
These are the security flaws covered by the Chrome update. However, Google does not allow users to see the entire details of the Chrome update until they have updated their browser app.
High severity rating
- CVE-2022-1633: Use after free in Sharesheet.
- CVE-2022-1634: Use after free in Browser UI.
- CVE-2022-1635 – Use after free Permission Prompts.
- CVE-2022-1636 – Use in Performance APIs after you have paid.
- CVE-2022-1637 – Inappropriate Implementation in Web Contents
- CVE-2022-1638: Heap buffer overflow in V8 Internationalization.
- Use in ANGLE after receiving a high CVE-2022-1639
- CVE-2022-1640: Use after free in Sharing.
Rating of medium severity
- CVE-2022-1641 – Use in Web UI Diagnostics for free.