Google Chrome, Edge & Opera just patched urgent security flaws — what to do right now

Google Chrome just patched urgent security flaws — what to do right now

By Paul Wagenseil 

Seven serious flaws fixed in latest update

Google has pushed out yet another security update to the desktop version of Chrome browser on Windows, Mac and Linux, the fourth such update in the past three weeks.

The new version of Chrome and its Chromium open-source underpinnings is labeled 90.0.4430.85 and was released late yesterday (April 20). It patches seven security flaws, including one "zero-day" (sort of) flaw that was disclosed in the wild before Google had a chance to fully patch it. 

 

That vulnerability, which turned out to be not quite a zero-day flaw, appears to be the same as one disclosed on Twitter in the middle of last week, as opposed to a different zero-day(ish) flaw posted on Twitter at the beginning of last week.

 

How to update Chrome

Updating Chrome is easy on Windows or Mac. The browser will automatically update itself when it launches, so you can just close and then relaunch it to trigger that process. On Linux, you'll likely have to wait for your distribution's next batch of updates.

To make certain Chrome has been updated, click the three vertical dots at the top-right of the browser window, move your cursor down to "Help" and click "About Google Chrome" in the fly-out menu that appears. 

A new tab will open. It either will tell you that your browser is up-to-date or will download the new version, in which case you'll need to relaunch the browser.

Dueling credits

Google's official Chrome Releases blog gave sparing details of the five security flaws discovered by outside researchers, if not the two found in-house. Three have to do with issues in the V8 JavaScript engine used in Chromium, including the one revealed online last week. 

 

That one flaw is assigned the catalog number CVE-2021-21224 and described as resulting from "Type Confusion in V8". Blog post author Srinivas Sista dryly noted that "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," normally the hallmark of a zero-day flaw.

Credit (and an as-yet-determined bug bounty) for that discovery goes to Argentine security researcher Jose Martinez of VerSprite Inc., whose hacker handle is "tr0y4". 

Another person, a Chinese researcher calling himself "frust," posted a link on Twitter April 14 to code that would pop open the Notepad application if a malicious web page loaded in Chrome on Windows. 

 

On Twitter last night, Martinez explained that he'd submitted his bug report to Google on April 5, as confirmed by the Google blog post. 

Martinez said Google fixed the issue in the open-source V8 engine April 12 and made the changes public, which meant that people like frust could reverse-engineer the changes and then claim to have found a "zero-day" flaw.

The same thing happened with a previous flaw in V8 that had been disclosed by two European researchers who used it to win $100,000 at the Pwn2Own hacking contest earlier this month. 

 

An Indian researcher observed the subsequent changes to V8 and declared his own "zero-day" flaw, but later walked back that declaration. That flaw was patched with Chrome/Chromium version 89.0.4389.128 on April 13.

 

A real zero-day flaw is one that the affected software's developers aren't even aware of before it appears in the wild, hence giving them "zero days" to fix it before it becomes public.

All this hacking and patching has resulted in a busy month for Chrome and Chromium developers. Here's a list of the updates since March 1:

  • 4/20: 90.0.4430.85
  • 4/14: 90.0.4430.72
  • 4/13: 89.0.4389.128
  • 3/30: 89.0.4389.114
  • 3/12: 89.0.4389.90
  • 3/05: 89.0.4389.82
  • 3/02: 89.0.4389.72

 How to update Edge, Brave, Opera and Vivaldi

Several other well-known browsers base themselves on Chromium, including Brave, Microsoft Edge, Opera and Vivaldi. As of this writing (12:45 p.m. New York time April 21), Brave was still on the previous version of Chromium, Vivaldi was two versions behind and Opera three versions behind. 

Edge uses a slightly different numbering system, but it has been updated at least once since its last documented security update on April 16, so we can presume Edge is up-to-date. 

Updating Edge or Brave is similar to updating Chrome. Click the settings icon on the top right of the browser window and scroll down looking for something marked "About" at or near the bottom of the menu. "About" may also be hiding in a "Help" fly-out menu.

In Opera and Vivaldi, start by clicking the browser icon at the top left of the window, then scroll down to "Help" and click "About" in the fly-out menu.

As with Chrome, the "About" tab will generate a new tab that will check for and install any available updates.

https://www.tomsguide.com/news/chrome-90-patch-2?utm_source=Selligent&utm_medium=email&utm_campaign=20210421_TomsGuide_Adhoc&utm_content=20210421_TomsGuide_Adhoc+&utm_term=5363297&m_i=aZVGHLQXnurIfSGniClD1StM%2BhjpVAzkjHPxeYHt9%2B5cpTOGkgGbc6_x0eisbSpN02HvSEw_KeVxb9qLRHw9OcAX7jtDwFRVaR&lrh=6f4820960c167da53ce08a32beab66e6cb249fc8aefcc74f9ca5b2dc9ecebc92

Comments

Post a Comment

Popular posts from this blog

Report: World’s 1st remote brain surgery via 5G network performed in China

World’s 1st remote brain surgery via 5G network performed in China Published time: 17 Mar, 2019 13:12 ·           A Chinese surgeon has performed the world’s first remote brain surgery using 5G technology, with the patient 3,000km away from the operating doctor. Dr. Ling Zhipei remotely implanted a neurostimulator into his patient’s brain on Saturday, Chinese state-run media  reports . The surgeon manipulated the instruments in the Beijing-based PLAGH hospital from a clinic subsidiary on the southern Hainan island, located 3,000km away. The surgery is said to have lasted three hours and ended successfully. The patient, suffering from Parkinson’s disease, is said to be feeling well after the pioneering operation. The doctor used a computer connected to the next-generation 5G network developed by Chinese tech giant Huawei. The new device enabled a near real-time connection, according to Dr. Ling.  “You barely feel that the patient is 3,000 kilometers away,”  he said.
Read more

BMW traps alleged thief by remotely locking him in car

BMW traps alleged thief by remotely locking him in car Stealer's Wheel? Seattle police department quotes "Watchmen" movie in a recap of the recent arrest. Tech Culture by Gael Fashingbauer Cooper December 4, 2016 5:00 PM PST It's maybe the most satisfying arrest we can imagine. Seattle police caught an alleged car thief by enlisting the help of car maker BMW to both track and then remotely lock the luckless criminal in the very car he was trying to steal. Jonah Spangenthal-Lee, deputy director of communications for the Seattle Police Department, posted a witty summary of the event on the SPD's blog on Wednesday. Turns out if you're inside a stolen car, it's perhaps not the best time to take a nap. "A car thief awoke from a sound slumber Sunday morning (Nov. 27) to find he had been remotely locked inside a stolen BMW, just as Seattle police officers were bearing down on him," Spangenthal-Lee wrote. The suspect found a ke
Read more

Visualizing The Power Of The World's Supercomputers

Visualizing The Power Of The World's Supercomputers   BY TYLER DURDEN FRIDAY, JAN 21, 2022 - 04:15 AM   A supercomputer is a machine that is built to handle billions, if not trillions of calculations at once. Each supercomputer is actually made up of many individual computers (known as nodes) that work together in parallel. A common metric for measuring the performance of these machines is  flops , or  floating point operations per second . In this visualization,  Visual Capitalist's Marcus Lu uses  November 2021 data from  TOP500  to visualize the computing power of the world’s top five supercomputers. For added context, a number of modern consumer devices were included in the comparison. Ranking by Teraflops Because supercomputers can achieve over one quadrillion flops, and consumer devices are much less powerful, we’ve used  teraflops  as our comparison metric. 1 teraflop = 1,000,000,000,000 (1 trillion) flops. Supercomputer Fugaku  was completed in March 202
Read more