April 17 Update below. This post was originally published on April 14
Google has now released three emergency, out-of-band, security updates for the Chrome browser in as many weeks. What’s more this one, like the first, is to fix a high-severity zero-day vulnerability that is already being exploited by attackers.
Three emergency Google Chrome security updates in three weeks
Google issued yet another emergency security update for all 3.2 billion users of the Chrome web browser. The third such update, which discloses a single high-severity vulnerability, to be rushed out in three weeks. This one, like the first of this worrying threat triumvirate, is a zero-day vulnerability: one that Google has confirmed is already being exploited by attackers.
How serious is CVE-2022-1364?
The security update process will have already started and the fix should become available to you in the course of the coming days and weeks. This emergency update takes Chrome to version 100.0.4896.127, across the Windows, Mac and Linux desktop platforms. Users of browsers such as Microsoft Edge, Brave, Vivaldi and Opera are advised to be alert to likely updates for those becoming available shortly.
Oddly, the Google update announcement states that it includes two security fixes but only actually lists CVE-2022-1364 as disclosed by Clément Lecigne who works with the Google Threat Analysis Group. The seriousness of this vulnerability is highlighted yet again by the fact that it was reported to Google April 13 and the security update released the following day. That’s a very welcome, but equally unusual, fast turnaround.
I have reached out to Google for a statement.
Google vulnerability disclosure system working as intended
As I have said before, this doesn’t equate to poor security from Google, quite the opposite in fact. The maturity of the Google Chrome security program is evidenced by the discovery and remediation of these vulnerabilities. It is proof that the vulnerability disclosure system is working and working well. Of course, it would better if there were no such high-severity vulnerabilities in the code to start with, but the truth of the matter is we don’t live in an ideal world where mistakes are not made.
How to apply the Google Chrome security patch
Chrome should automatically update itself as the fix becomes available to you. However, you are advised to kickstart the updating process as soon as possible given that attacks are underway.
Head for the Help|About option in your Google Chrome menu. If your version of Chrome is not showing as 100.0.4896.127 then it will be vulnerable to the known exploit. The update should, however, now start downloading automatically. It may take a few days for the update to reach everyone, so be patient if you are not seeing it yet.
Also, remember to restart your browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack.
Update April 15: Good news for Brave users, the update is already rolling out. My copy of Brave updated this morning as you can see in the screenshot below. Just go to the ‘About Brave’ entry from the burger stack menu and Brave will automatically start the update process.
Update April 17: Following on from my previous update that users of the Brave web browser were able to patch against the zero-day vulnerability discovered in the Chromium engine, there’s some more good news. I can confirm that Microsoft Edge users will also be protected once the latest security update for the browser has been downloaded and installed. Instructions for doing this are below.
Please don’t wait for an automatic update as this vulnerability allows a potential attacker to take control of your machine and an in-the-wild exploit already exists. By simply checking to see what version your Edge browser is, this process will kick-start a download if an update is ready.
It’s good to see that Microsoft has responded so quickly to this vulnerability. That said, my copy of the Brave browser still beat Microsoft to the vulnerability patching punch. I checked both Brave and Edge for updates simultaneously, and Edge was yet to have any update rolled out and available to me at that time. This could be a benefit of scale, with Brave obviously being a much smaller operation that Microsoft and a much smaller userbase to consider. However, that they both employ the same Chromium engine to power the respective browsers, I don’t think it’s asking too much to expect important updates like this to come out together. Indeed, I’d be happiest if the updates were rolled out across all browsers at the same time rather than everyone being a step or two behind Google Chrome.
And don’t just take my word for how dangerous this situation is, or that of Google which not only discovered the problem but issued an emergency fix, take heed of the US Government as well. the Cybersecurity and Infrastructure Security Agency (CISA) has also confirmed that the vulnerability “has been detected in exploits in the wild” and encourages users and administrators to apply the necessary updates. While this does not carry quite the same weight as an official CISA alert or, indeed, an emergency directive that requires patching within federal outfits within a set time period, it does still clearly indicate this is not just your run of the mill security patch.
How to ensure Microsoft Edge has the latest security update
1. From the ‘three dot’ menu top right, select ‘Help and feedback|About Microsoft Edge’
2. This will immediately check if an update is available and start downloading if that is the case.
3. Once the download is complete you will need to restart the browser to ensure proper the installation is completed and that you are properly protected.