Google Chrome: emergency update to patch zero-day vulnerability has been released
Days after the release of Chrome 94 to the Stable channel, comes another update for Google's Chrome web browser. Chrome 94.0.4606.61 is available for the desktop operating systems Linux, Mac and Windows. The update patches a security vulnerability in the client that is exploited actively in the wild.
Chrome users who run desktop versions of the web browser will get the update in the coming days and weeks. Load chrome://settings/help to check the installed version and run a manual check for updates. Chrome will pick up the latest version and install it immediately, which patches the security issues.
CVE-2021-37973 : Use after free in Portals, is rated as high by Google. High is the second highest rating after critical. Google does not reveal additional information about the vulnerability, other than that it is aware that an exploit "exists in the wild". Portals are designed to improve transitions between webpages, and Google hopes that these will replace iframes eventually on the Web.
The patch was not included in this week's main update for the Stable channel of the browser, because it was reported on the day the update was released.
Considering that the issue is exploited actively already, Google advises customers to upgrade their versions of Chrome to the latest patched version as soon as possible.
It is unclear at this point if other browsers that are based on Chromium are also affected by the security issue.
Chrome 94 was released earlier this week. The browser patched 19 different security issues, several of which with the high severity rating. Google launched the controversial Idle Detection API in Chrome 94 which websites may use to detect whether users are idle. Users need to give explicit permission before sites may access the information.
Mozilla and Apple announced earlier that they won't implement the API in Firefox and Safari, because of its abuse potential.
Google's official post about the new release is found on the official Chrome Releases website.
Now You: when do you update your browsers?
Anyone know EXACTLY what they changed! I get a “SSL/TLS no compatible protocol error” on an internal IBM WebSphere Application Server App.
It is like the site doesn’t have the right encryption code available.
Did they shutoff TLS1.0, 1.1, 1.2? Force us to 1.3? If using ONLY TLS1.3, what encryption, since that is dynamic under 1.3.
Martin which internet browser do you recommend
I recommend several, e.g. Firefox, Vivaldi, or Brave. It depends on what you need.
what do you recommend for ios ?
Edge Version 94.0.992.31
* CVE-2021-37973
* CVE-2021-37956
* CVE-2021-37957
* CVE-2021-37958
* CVE-2021-37959
* CVE-2021-37960
* CVE-2021-37961
* CVE-2021-37962
* CVE-2021-37963
* CVE-2021-37964
* CVE-2021-37965
* CVE-2021-37966
* CVE-2021-37967
* CVE-2021-37968
* CVE-2021-37969
* CVE-2021-37970
* CVE-2021-37971
* CVE-2021-37972
Now look, I detest Google, but in patching they are useful idiots. It’s very very veeeery bad for business to have a vulnerable browser so they go out of their way to find the leaks and patching them. This benefits Chromium browser, which I use. No ifs or butts about it, Googles patching regime is a good thing for everybody.
Google Man will save the day fixing vulnerabilities before they occur!
Yay, Google Man busy creating new vulnerabilities day and night!
Google Man, so amazing, so literally anthropomorphic!
Huh?
The day Google wants me to update, I update. People who don’t update are not only at a security risk, but are also a security risk to other. Hello virus, bye bye data.
Also day 1 patch by Google. Unlike other companies, Google is on top of these things. When you have the BEST browser in existence, it is natural jealous people will try to bring it down to the level of ‘other browsers ‘.
Weird, my ad blocker doesn’t block ads “disguised” as posts.
@ULBoom
My previous post hasn’t passed moderation yet (grrr…),
but my blocking rule also blocked other posts mentioning him…
This is better:
http://www.ghacks.net##.opacity–90.comment-item__header:has-text(ChromeFan):upward(.comment-item)
Caveat:
‘:upward’ only works in uBlock Origin.
Which b.t.w. might be no longer be developed for Chromium based browsers, when
Manifest V3 kicks in and Gorhill has to limit the capabilities too much.
https://github.com/uBlockOrigin/uBlock-issues/issues/338#issuecomment-456179825
https://github.com/uBlockOrigin/uBlock-issues/issues/338#issuecomment-873602429
At your service:
http://www.ghacks.net##.comment-item:has-text(ChromeFan)
* [Editor: removed, please be kind ;)]
wow, yet another in-the-wild exploit patched this year – they already patched 8 critical use-after-free ones. what a pig of a browser, so insecure – you’re better off using webkit or gecko, not just for privacy it seems
ten zero-days in-the-wild for chrome this year
https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=2129022708
@zerodays
So? That’s not bad at all for a software with the complexity of an operating system.
Firefox has way worse security standards to begin with (see the article I’ve shared) and has to patch high impact security issues every month as well.
Your point is as moot as can be.
Chrome will always have more exploits and vulnerabilities than Firefox because they are the market leader with the biggest userbase. The hackers or criminals target the biggest browser in use.
Yup.
Anything that uses the infrastructure of the web is vulnerable to attacks and exploits, just like the infrastructure of the real world.
For example, I consider my house as “secure”, yet if a determined gang wants to burn it to the ground, then that will likely happen.
In the end, we are like a flock of ducks, hoping we won’t be the next target.
As for such so-called “patches”, they are in part a public relations tactic, implemented to make us feel safer.
> Chrome will always have more exploits and vulnerabilities
Wasn’t always the case, when Firefox lacked multi process. But true, chrome is a bigger target, and that makes it a liability in those terms. At the rate they’re going, it’s starting to turn into the adobe acrobat of browsers
https://www.schneier.com/blog/archives/2021/09/the-proliferation-of-zero-days.html
@zerodays
Firefox had more security issues discovered back then because it was way more relevant back then than it is now. Nobody really cares about Firefox today, it probably has more security issues than Chromium does thanks to worse overall security standards, but not even the hackers care enough to uncover them.
So if Chromium is the Adobe Acrobat of browsers, then Firefox might as well be Adobe Flash post-abandonment.
“Three iOS 0-days revealed by researcher frustrated with Apple’s bug bounty” – a headline on Ars Technica.
Google, love or hate or indifferrence them, patches things when they become aware of flaws. If the others are silent about those things you don’t know whether they are patching them or ignoring them, like Apple.
And I’m saying this as a Firefox user.
@karl
> so insecure – you’re better off using webkit or gecko
Good joke.
https://madaidans-insecurities.github.io/firefox-chromium.html
> not just for privacy it seems
Not even for privacy.
https://www.ghacks.net/2020/02/25/study-finds-brave-to-be-the-most-private-browser/
Let’s inspect this joke of a comment –
“Good joke.
https://madaidans-insecurities.github.io/firefox-chromium.html”
Funny madainwhatever link has been shared. So let’s see if this site is credible. In this link – ‘https://madaidans-insecurities.github.io/security-privacy-advice.html’ Here’s what author has to say – ‘The desktop security model is very broken. It was not designed with security in mind — security was only a poorly implemented afterthought. However, there are some operating systems that are less bad in this regard. If you can, stay away from desktop and stick to mobile devices.’
These quotes are funny but not credible. So let’s examine the link shared in that paragraph – ‘https://blog.cryptographyengineering.com/2017/03/05/secure-computing-for-journalists/’ Actually the author wrote an article so bad that one reader wrote a good comment questioning the integrity of the article. Article recommends iOS which is very funny. It is from 2017. Fast forward to today, we all know a spyware named Pegasus – last week gHacks wrote an article about Apple measures which confirms huge security hole and spyware news was everywhere weeks ago – Funny a security researcher didn’t keep himself up-to-date.
Second link in madainwhatever’s highlighted quotes refers to same website, hilarious if you ask me. So let’s see what’s been written there – ‘Use airplane mode and/or take out your SIM card as much as possible to prevent cell tower triangulation.’
See security expert suggesting to stick to mobile devices and to keep SIM Card out of mobile phone, but then I suppose there are many desktop system that have same problem as well, only in them SIM Card can’t be removed.
And that’s just a start. Whole madainwhatver website is filled with false claims about many things including Firefox and no real world incidents have been shared. I can put more laughable quotes here but then let the security researcher be at peace. The quotes shared above are enough to conclude – that website is trash, and certainly not the one to draw conclusion on whether Firefox is bad in terms of security compared to Chromium.
@Yash
First things first, there is no need for you to troll under every single one of my posts. Has it ever occurred to you that I don’t write these only for some troll folk like you to reply? Spread the message far and wide, and tell your troll friends especially, that there is no point in replying to me if you have no argument to make.
Secondly and more importantly, even before I started reading your comment, I already knew that you would fail to address any of the points madaidan raises in his Firefox vs. Chromium article. Wasn’t disappointed. You just nitpick some other articles of his, desperately searching for any point you can address with your limited knowledge.
Listen, Yash, you seem to think that you are much more competent than madaidan is, so then it should be no problem for you to address every. single. one. of his points made in the Firefox vs. Chromium article. Can’t wait for your extensive wrecking of madaidan. Good luck.
1. “First things….. make.”
2. “Secondly and more….. luck.”
1. Questions were raised about madainwhatever website. Since those are true, you reverted to saying troll and what not. So please continue deflecting the main point. Plus this is a public forum, not everything is trash late night show hosted by Iron Heart, so when you shared a trash site, and I highlighted some laughable quotes, then it would be better if you can justify them or maybe continue on your initial point. If you can’t as you showed, then don’t get embarassed saying stupid things coz then it confirms you’re a troll.
2. Again you missed the main point. In madainwhatever’s article about Firefox he complained about sandboxes and yet not even once did he shared any real world incidents. As I’ve already showed in my previous comment madainwhatever is a trash guy. For someone who claims to be a security expert, he’s not up-to-date about current issues, heck he’s not even up-to-date about what security issues are in the first place. In Firefox article he complained about sandboxes and in another article he said Android is superior because of sandboxes. And yet there is a spyware which even made Daniel Micay to write – Sandboxes are not enough.
If Firefox would’ve been insecure then there would’ve been a discovery of string of vulnerabilities exploited in the wild related to claims made by madainwhatever, but none of that has happened. The issues that are currently fixed in Firefox have nothing to do with Madainwhatever’s claims. So yeah I have to prove madainwhatever guy wrong, but the question is – for what? All the things he wrote had no real world value. To prove it otherwise, why don’t you share some incidents which will justify madainwhatever’s claims?
Good luck mentioning even one.