April 29 update below. This post was originally published on April 27.
It’s been an amazingly busy few weeks in the world of Google Chrome security and the pace doesn’t seem to be slowing down. On the heels of two emergency fixes for exploits in the wild, and the confirmation of a record number of Chromium zero days in 2021, comes another truly massive security update for billions of Chrome users. How massive would that be? Well, the recently confirmed stable channel update for desktop that brings Google Chrome to version 101.0.4951.41 for Windows, Mac, and Linux users fixes no less than 30 security vulnerabilities.
No Google Chrome zero-day is no reason for user update complacency
Fortunately, at least for now, neither of these are zero days when attackers are already known to be exploiting vulnerabilities. However, that does not mean that user complacency should be the order of the day. As always, I recommend that you launch Chrome Security Update 101 as soon as possible instead of waiting for it to roll out in the coming days and weeks. And, most importantly, make sure it’s properly activated, whether you update now or choose to wait.
April 29 Update: Because Chrome isn’t the only web browser client employing the Chromium engine under the hood, users of those browsers should also keep an eye out for security updates. I can confirm that, at the time of writing, my copies of Brave and Microsoft Edge have now been updated to include the latest version of Chromium 101.0.4951.41, as you can see in the screenshots below. Just as important, make sure these browsers have been updated to apply any necessary security patches, and that means restarting them just like you would Google Chrome itself.
As far as Brave users are concerned, you need to head to the three-stripe “burger” menu and select the “About Brave” option. Again, this will force the browser to immediately check if an update is available and download it if that is the case. At the risk of sounding like a broken record, don’t forget to restart your browser to make sure the patch has been applied and is protecting you.
To check the version number and start the Microsoft Edge update process, go to the ‘three dots’ menu at the top right of the screen. From here select ‘Help & Feedback|About Microsoft Edge’. This will immediately check to see if an update is available and start downloading if that is the case. You’ll then be prompted to restart your browser, so make sure you’ve closed all open tabs and saved the information you need.
Unfortunately, neither Opera nor Vivaldi had been updated at the time of writing, so keep checking back if you use them. For Opera, you need to head to the top left and the Opera icon. The menu option you want is Help | About Opera, as expected. Vivaldi users can select Help|Check for Updates from the ‘V’ logo menu.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued a confirmation of the importance of these security updates in an April 28 release. CISA says that it “encourages users and administrators to review the Chrome release notes and apply any necessary patches,” as an attacker could exploit the vulnerabilities to take control of an affected system.
$80,000 worth of Chrome vulnerabilities patched
Of the 30 vulnerabilities, seven have a high risk rating, while 14 have a medium Common Vulnerabilities and Exposures (CVE) rating. In total, more than $80,000 has been confirmed through Google bounty payments to the researchers who found these security issues.
While full technical details of the vulnerabilities being patched have not yet been released, we know they include the following 25 specific vulnerabilities, the remaining five fall under the umbrella of “various internal audit fixes, fuzzing, and other initiatives.”
- CVE-2022-1477: Use after free in Vulkan.
- CVE-2022-1478: Use after free in SwiftShader.
- CVE-2022-1479: Use after free on ANGLE.
- CVE-2022-1480: Use after free in device API.
- CVE-2022-1481: Use after free in Share.
- CVE-2022-1482: Improper implementation in WebGL.
- CVE-2022-1483: WebGPU heap buffer overflow.
Medium Rating Vulnerabilities:
- CVE-2022-1484: Heap buffer overflow in web UI configuration.
- CVE-2022-1485: Use after free in the file system API.
- CVE-2022-1486: Type confusion in V8.
- CVE-2022-1487: Use after free in Ozone.
- CVE-2022-1488: Improper implementation in the Extensions API.
- CVE-2022-1489: Memory access out of bounds in UI shelf.
- CVE-2022-1490: use after free in browser picker.
- CVE-2022-1491: Use after free in Bookmarks.
- CVE-2022-1492: Insufficient data validation in Blink Editing.
- CVE-2022-1493: Use after free in Dev Tools.
- CVE-2022-1494: Insufficient data validation on trusted types.
- CVE-2022-1495: Incorrect security UI in Downloads.
- CVE-2022-1496: Use after free in File Manager.
- CVE-2022-1497: Improper implementation in Input.
- CVE-2022-1498: Improper implementation in HTML Parser.
- CVE-2022-1499: Improper implementation in WebAuthentication.
- CVE-2022-1500: Insufficient data validation in development tools.
- CVE-2022-1501: Improper implementation in iframe.
How to apply the massive Google Chrome security patch right now
Go to the Help|About option in the Google Chrome menu and if the update is available, it will start downloading automatically.
Remember to restart your browser after the update has been installed, or it will not activate and remain vulnerable to attack. This last point is the same if you get the automatic update without starting the process: it will not activate until your browser is restarted. Given how many people keep a browser with thousands of tabs open all the time, I can’t stress enough how important this is.