It’s been a breathtakingly busy few weeks in the world of Google Chrome security and the pace doesn’t appear to be slowing down. Hot on the heels of two emergency fixes for in-the-wild exploits, and confirmation of a record number of Chromium zero-days across 2021, comes another truly massive security update for billions of Chrome users. How massive would that be? Well, newly confirmed stable channel update for desktop which takes Google Chrome to version 101.0.4951.41 for Windows, Mac and Linux users fixes no less than 30 security vulnerabilities.
No Google Chrome zero-days is no reason for user update complacency
Thankfully, for now at least, none of these are zero-days where attackers are known to already be exploiting the vulnerabilities. However, that doesn’t mean that user complacency should be the order of the day. As always, I recommend you kick-start the Chrome 101 security update as soon as possible rather than wait for it to be rolled out to you in the coming days and weeks. And, importantly, ensure that it is properly activated whether you update now or choose to wait.
$80,000 worth of Chrome vulnerabilities patched
Of the 30 vulnerabilities, seven are rated high risk while 14 get a medium Common Vulnerabilities and Exposures (CVE) rating. In all, more than $80,000 has been confirmed by way of Google bounty payments to the researchers who found these security problems.
While all the technical detail of the vulnerabilities being patched has yet to be released, we do know that they include the following 25 specific ones, the remaining five coming under the ‘various fixes from internal audits, fuzzing and other initiatives’ umbrella.
- CVE-2022-1477: Use after free in Vulkan.
- CVE-2022-1478: Use after free in SwiftShader.
- CVE-2022-1479: Use after free in ANGLE.
- CVE-2022-1480: Use after free in Device API.
- CVE-2022-1481: Use after free in Sharing.
- CVE-2022-1482: Inappropriate implementation in WebGL.
- CVE-2022-1483: Heap buffer overflow in WebGPU.
- CVE-2022-1484: Heap buffer overflow in Web UI Settings.
- CVE-2022-1485: Use after free in File System API.
- CVE-2022-1486: Type Confusion in V8.
- CVE-2022-1487: Use after free in Ozone.
- CVE-2022-1488: Inappropriate implementation in Extensions API.
- CVE-2022-1489: Out of bounds memory access in UI Shelf.
- CVE-2022-1490: Use after free in Browser Switcher.
- CVE-2022-1491: Use after free in Bookmarks.
- CVE-2022-1492: Insufficient data validation in Blink Editing.
- CVE-2022-1493: Use after free in Dev Tools.
- CVE-2022-1494: Insufficient data validation in Trusted Types.
- CVE-2022-1495: Incorrect security UI in Downloads.
- CVE-2022-1496: Use after free in File Manager.
- CVE-2022-1497: Inappropriate implementation in Input.
- CVE-2022-1498: Inappropriate implementation in HTML Parser.
- CVE-2022-1499: Inappropriate implementation in WebAuthentication.
- CVE-2022-1500: Insufficient data validation in Dev Tools.
- CVE-2022-1501: Inappropriate implementation in iframe.
How to apply the massive Google Chrome security patch right now
Head for the Help|About option in your Google Chrome menu, and if the update is available, it will automatically start downloading.
Remember to restart your browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack. This last point is the same if you get the automatic update without kick-starting the process – it will not activate until your browser is restarted. Given the number of people who keep a browser with a gazillion tabs open running all the time, I cannot emphasize the importance of this enough.