Google Chrome has Patched an Urgent Security Flaw — What to Do Now

Google Chrome has Patched an Urgent Security Flaw — What to Do Now

Google has released its fourth security update in the past three weeks to its desktop Chrome browser for Windows, Mac, and Linux.

The new version of Chrome and its Chromium open source foundation is listed as 90.0.4430.85 and was released late yesterday (April 20). This version fixes seven security flaws, one of which is a "zero-day" (sort of) flaw that was out in the wild before Google fully patched it.

The vulnerability, which turned out not to be a zero-day flaw, appears to be the same as the one disclosed on Twitter in the middle of last week.

On Windows and Mac, updating Chrome is easy. It updates automatically when the browser starts, so just close the browser and start it again to begin the update; for Linux, you will have to wait for the next update of the distribution.

To confirm that Chrome has been updated, click on the three vertical dots in the upper right corner of the browser window, move the cursor to "Help" and click "About Google Chrome" from the menu that appears.

A new tab will open. You will see that your browser is up-to-date or a newer version will be downloaded.

Google's official Chrome Releases blog generously details five security flaws discovered by outside researchers, aside from two discovered internally. Three of them are problems with the V8 JavaScript engine used in Chromium, including one that was revealed online last week.

One of the flaws has been assigned catalog number CVE-2021-21224 and is described as resulting from "type confusion in V8." Srinivas Sista, the author of the blog post, stated wryly, "Google is aware of reports that the CVE-2021-21224 exploit is out in the wild."

Credit for this discovery (and a yet-to-be-determined bug bounty) goes to Argentine security researcher Jose Martinez of VerSprite Inc. whose hacker handle is "tr0y4."

Another Chinese researcher calling himself "frust" posted a link on Twitter on April 14 to code that pops open the Notepad application if a malicious web page is loaded in Windows Chrome.

Last night, Martinez explained on Twitter that he filed a bug report with Google on April 5.

According to Martinez, Google fixed the problem with its open source V8 engine on April 12 and made the changes public.

The same thing happened with an earlier flaw in V8 that had been disclosed by two European researchers who used it to win $100,000 in a Pwn2Own hacking contest earlier this month.

The Indian researchers observed subsequent changes to V8 and declared their own "zero-day" flaw, which was later retracted. The flaw was fixed on April 13 in Chrome/Chromium version 89.0.4389.128.

A true zero-day flaw is one of which the developers of the affected software are unaware before it is released to the public.

These hacks and patches made for a busy month for Chrome and Chromium developers. Below is a list of updates since March 1:

Brave, Microsoft Edge, Opera, Vivaldi, and other well-known browsers based on Chromium. As of this writing (April 21, 12:45 PM New York time), Brave is still an older version of Chromium, Vivaldi is two versions behind, and Opera is three versions behind.

Edge uses a slightly different numbering system, but since it has been updated at least once since the last documented security update on April 16, we can presume that Edge is up to date.

Edge and Brave updates are similar to Chrome updates. Click on the settings icon in the upper right corner of the browser window, scroll down and look for something labeled "About" at or near the bottom of the menu." Sometimes "About" is hidden in the "Help" menu.

In Opera and Vivaldi, first click on the browser icon in the upper left corner of the window, scroll down to "Help," and click "About" in the fly-out menu.

Similar to Chrome, the "About" tab checks for available updates and generates a new tab to install.

.

Categories