Google Chrome 101 security warning for 3.2 billion users–update now

May 10 Update: This post was originally published on May 09

I spoke too soon when I reported yesterday that Google had confirmed a relatively rare update just for Android users of the Chrome browser. Windows, Linux, and Mac users can no longer breathe easy and instead should now also be checking that their Chrome browsers are updated as soon as possible. Why the change? Because Google has now confirmed that billions of users of the most popular web browser on the planet are affected by the latest security vulnerabilities.

In a May 10 announcement by Prudhvikumar Bommana from the Google Chrome team it was confirmed that the same nine vulnerabilities that prompted the Android security update warning actually also applied to the desktop browser across all platforms. Actually, there are 13 security fixes in all as I orginally reported, but only nine have been allocated CVE numbers. It is unclear at this time as to why there was a delay between the two updates being confirmed but I will try to find out and report back. While none of the disclosed vulnerabilities are of the zero-day variety this time, meaning that there is no evidence that attackers are already exploiting them, that is no reason for complacency. So, please update your Chrome browser as soon as you are able.

In the case of the desktop browser, this means heading for the Help|About option in your Google Chrome menu. The update will automatically start downloading if it is available to you. The full details can be found here but the most important thing to remember is to restart the browser or the update will not be activated. The updated version that includes the security fixes in the desktop client is 101.0.4951.64.

Users of other Chromium-powered web browsers such as Brave and Edge should also be alert to the fact that security updates will likely follow in the coming days. I will update this article as soon as I can confirm those updates have rolled out, with instructions on what you need to do. Of course, Chrome for Android users also still need to ensure that the app is updated, as below.

Windows, Linux and Mac users of the Google Chrome browser can breathe easy for the moment. This latest security warning is directed solely at smartphone users for a change. In a Chrome update confirmation published 9 May, Google has revealed no less than 13 security fixes. Of these, eight have been assigned Common Vulnerabilities and Exposures (CVE) severity ratings of high, with one getting a medium scoring. The remainder, four in all, are wrapped up with a ‘various fixes’ from ongoing internal security work that have not been given CVE numbers.

MORE FROM FORBESGoogle Chrome-Massive New Security Update For 3.2 Billion Users Confirmed

$11,000 awarded to security researchers in bug bounty payments

Of those that have been assigned ratings, three high-severity Chrome for Android security vulnerabilities saw bug bounty payments totalling $11,000 made to the security researchers who disclosed them. The solitary medium-severity vulnerability earned a $5,000 bounty payment. Four of the others are in line for a monetary payment but the amounts have yet to be confirmed by Google.

Update to Google Chrome v101.0.4951.61as soon as you can

As usual, the Forbes Straight Talking Cyber advice is to ensure that your smartphone is updated as soon as possible so that the vulnerability patches can be applied. Google has stated that the fix is rolling out now and should become available on Google Play “over the next few days.” The updated version, according to the Google announcement, is Chrome v101.0.4951.61 for Android. At the time of writing, my Samsung Galaxy Note 10+ is still on the 26 April update of v101.0.4951.41 and so not yet patched.

How to check your Google Chrome for Android version number

The best advice is to let Google update your app as soon as it becomes available. To configure this, go to the three-dot menu in the Google Play app and head for Settings|Network preferencesAuto-update apps.

To check your Chrome for Android version number go to the three-dot menu in the Chrome app itself and select Help & Feedback then from the three-dot menu there Version Info.

To check Google Play for the latest version open the app and click on your profile icon top right. From here you want Manage apps and device|Updates available.

These are the Chrome security vulnerabilities that have been fixed

The nine security vulnerabilities covered by this Chrome update are as follows, remember that Google restricts access to the full details until such a time as a majority of users have had the chance to update their browser app.

High severity rating:

  • CVE-2022-1633: Use after free in Sharesheet.
  • CVE-2022-1634: Use after free in Browser UI.
  • CVE-2022-1635: Use after free in Permission Prompts.
  • CVE-2022-1636: Use after free in Performance APIs.
  • CVE-2022-1637: Inappropriate implementation in Web Contents.
  • CVE-2022-1638: Heap buffer overflow in V8 Internationalization.
  • High CVE-2022-1639: Use after free in ANGLE.
  • CVE-2022-1640: Use after free in Sharing.

Medium severity rating:

  • CVE-2022-1641: Use after free in Web UI Diagnostics.

MORE FROM FORBESUrgent Google Android Update As 36 Security Issues Confirmed-One Already Under Attack

Leave a Comment