Google distributed an update to the desktop version of Chrome yesterday (October 28) that fixes eight security vulnerabilities.
The update brings the version of Chrome for Windows, Mac, and Linux to 95.0.4638.69. Windows and Mac users can usually install the update simply by restarting their browser, while Linux users may need to wait until their distribution bundles the update into their normal update package. 3]
Otherwise, click on the three vertical dots in the upper right corner of the browser window, move the mouse down, and click Help, You can force Chrome to update. Click "About Google Chrome" from the menu that appears, and a new tab will appear, indicating that Chrome is up-to-date or an update will be downloaded.
The first of the two patched zero-day flaws involves "insufficient validation of untrusted input in Intents," a protocol Chrome uses to find the best web app to handle a particular purpose (vulnerability CVE-2021-38000 (cataloged as CVE-2021-38000). The other allows "improper implementation in V8," Chrome's JavaScript engine (cataloged as vulnerability CVE-2021-38003).
The former allows web apps to prank, while the latter presumably allows websites to do the same. Google has said nothing further.
Since the reporters of these flaws all work for Google, they probably will not get bug bounties. However, Wei Yuan of MoyunSec VLab found a "use-after-free" bug in Chrome's sign-in protocol and won $10,000.
Use-after-free means that the memory space was not properly reallocated after the protocol finished using it, which could allow a malicious program to literally break into the memory space.
The other four flaws also involve use-after-free issues, insufficient validation, V8, or a combination thereof. Google has said nothing about the eighth vulnerability being patched.
Several other browsers that share the Chrome and Chromium open source foundation have also been updated to newer versions, including Brave and Microsoft Edge. (Like Chrome, they can be updated by restarting.) Other browsers, such as Opera and Vivaldi, are not quite there yet.
Google has already patched more than 10 zero-day flaws in this exceptionally busy year. Whether this is a good thing, indicating that more defects will be discovered, or a bad thing, potentially leading to more zero-day in general, is not known.
Below is a list of recent Chrome desktop updates.
Comments