Google Chrome’s Emergency Security Update Amid Ongoing Cyberattacks
April 17 update below. This article was originally published on April 14
Google has now released three emergency out-of-band security updates for the Chrome browser in as many weeks. Additionally, this one, like the first, fixes a high-severity zero-day vulnerability that is already being exploited by attackers.
Three emergency Google Chrome security updates in three weeks
Google has released another emergency security update for all 3.2 billion Chrome web browser users. The third such update, which reveals a single high-severity vulnerability, is due to be released in three weeks. This, like the first of this worrying triumvirate of threats, is a zero-day vulnerability: one that Google has confirmed is already being exploited by attackers.
How serious is CVE-2022-1364?
The similarities don’t end there though. CVE-2022-1364, the vulnerability in question, is another ‘Type Confusion in V8’. This means that it impacts the JavaScript engine used by Chromium-powered browsers such as Google Chrome, Microsoft Edge, Brave, and others. As before, Google does not make further technical details available, and the update confirmation states that “we will also retain the restriction”, suggesting that this is indeed a particularly severe vulnerability.
The security update process will have already started and the patch should be available in the coming days and weeks. This emergency update upgrades Chrome to version 100.0.4896.127, on Windows, Mac, and Linux desktop platforms. Users of browsers such as Microsoft Edge, Brave, Vivaldi and Opera are advised to pay attention to probable updates for those which will be available shortly.
Curiously, Google’s update announcement says it includes two security patches, but actually only lists CVE-2022-1364 as disclosed by Clément Lecigne who works with the Google Threat Analysis Group. The severity of this vulnerability is further evidenced by the fact that it was reported to Google on April 13 and the security update was released the following day. It’s a very welcome turnaround, but equally unusual and fast.
I contacted Google for a statement.
Google’s vulnerability disclosure system works as expected
As I said before, this does not equate to poor Google security, quite the contrary. The maturity of Google Chrome’s security program is evidenced by the discovery and patching of these vulnerabilities. This is proof that the vulnerability disclosure system works and works well. Of course, it would be better if there weren’t such severe vulnerabilities in the code to begin with, but the truth is that we don’t live in an ideal world where mistakes aren’t made.
How to Apply Google Chrome Security Patch
Chrome should update automatically as the fix becomes available. However, it is advisable to start the update process as soon as possible since attacks are in progress.
Head to Help | About your Google Chrome menu. If your version of Chrome is not showing as 100.0.4896.127, it will be vulnerable to the known exploit. However, the update should start downloading automatically. It may take a few days for the update to reach everyone, so be patient if you don’t see it yet.
Also, remember to restart your browser after installing the update, otherwise it will not activate and you will still be vulnerable to attacks.
Update April 15: Good news for Brave users, the update is already rolling out. My copy of Brave was updated this morning as you can see in the screenshot below. Simply navigate to the “About Brave” entry in the burger stack menu and Brave will automatically initiate the update process.
Update April 17: Following my previous update that users of the Brave web browser were able to fix against the zero-day vulnerability discovered in the Chromium engine, there is more good news. I can confirm that Microsoft Edge users will also be protected once the latest browser security update is downloaded and installed. Instructions for doing this are below.
Do not wait for an automatic update because this vulnerability allows a potential attacker to take control of your machine and an exploit in the wild already exists. By simply checking your Edge browser version, this process will initiate a download if an update is ready.
It’s good to see that Microsoft reacted so quickly to this vulnerability. That said, my copy of the Brave browser still beat Microsoft to the vulnerability patch punch. I checked Brave and Edge simultaneously for updates, and Edge had no updates rolled out and available to me at that time yet. This could be a scale advantage, with Brave obviously being a much smaller operation than Microsoft and a much smaller user base to consider. However, since they both use the same Chromium engine to power the respective browsers, I don’t think it’s asking too much to expect big updates like this to come out together. Indeed, I’d be happier if updates were rolled out to all browsers at once rather than everyone being a step or two behind Google Chrome.
And don’t just take my word for it, or that Google not only discovered the problem but released an emergency patch, consider the US government as well. the The Cybersecurity and Infrastructure Security Agency (CISA) also confirmed that the vulnerability “has been detected in exploits in the wild” and encourages users and administrators to apply necessary updates. While this doesn’t quite carry the same weight as an official CISA alert or indeed an emergency directive that requires a fix within federal outfits within a specified time frame, it still clearly indicates that it it’s not just your ordinary security patch.
How to make sure Microsoft Edge has the latest security update
1. From the “three dots” menu at the top right, select “Help & feedback | About Microsoft Edge”.
2. This will immediately check if an update is available and start downloading if so.
3. Once the download is complete, you will need to restart the browser to ensure the installation is complete and you are properly protected.