A security update for Google Chrome 96 is out
Google released an update for Google Chrome 96, the company's web browser, today for all supported desktop operating systems and for the company's Android platform.
The new version of Google Chrome is a security update that patches 20 different security issues, many of which rated high, the second-highest rating after critical.
Chrome is rolled out automatically on all supported platforms by default. Desktop users may speed up the discovery of the new update by selecting Menu > Help > About Google Chrome, or by loading chrome://settings/help directly. The page that opens lists the version of the browser that is installed currently, and it will run a check for updates to download and install the latest version of the browser.
Android users may open the page as well, but the download of updates is powered by Google Play, which means that updates can't be expedited this way.
The Chrome releases blog lists all security issues that were reported by external researchers. Most were reported to Google in November, some in October and one in August of 2021.
[$15000] High CVE-2021-4052: Use after free in web apps. Reported by Wei Yuan of MoyunSec VLab on 2021-11-07
[$10000] High CVE-2021-4053: Use after free in UI. Reported by Rox on 2021-11-08
[$5000] High CVE-2021-4054: Incorrect security UI in autofill. Reported by Alesandro Ortiz on 2021-08-13
[$1000] High CVE-2021-4055: Heap buffer overflow in extensions. Reported by Chen Rong on 2021-11-03
[$TBD] High CVE-2021-4056: Type Confusion in loader. Reported by @__R0ng of 360 Alpha Lab on 2021-10-18
[$TBD] High CVE-2021-4057: Use after free in file API. Reported by Sergei Glazunov of Google Project Zero on 2021-10-21
[$TBD] High CVE-2021-4058: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-06
[$TBD] High CVE-2021-4059: Insufficient data validation in loader. Reported by Luan Herrera (@lbherrera_) on 2021-11-17
[$TBD] High CVE-2021-4061: Type Confusion in V8. Reported by Paolo Severini on 2021-11-18
[$TBD] High CVE-2021-4062: Heap buffer overflow in BFCache. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-22
[$TBD] High CVE-2021-4063: Use after free in developer tools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-11-23
[$TBD] High CVE-2021-4064: Use after free in screen capture. Reported by @ginggilBesel on 2021-11-23
[$TBD] High CVE-2021-4065: Use after free in autofill. Reported by 5n1p3r0010 on 2021-11-25
[$TBD] High CVE-2021-4066: Integer underflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-11-29
[$TBD] High CVE-2021-4067: Use after free in window manager. Reported by @ginggilBesel on 2021-11-29
[$500] Low CVE-2021-4068: Insufficient validation of untrusted input in new tab page. Reported by NDevTK on 2021-10-31
No critical rating has been assigned, but most issues are rated as high. The issues don't seem to be exploited in the wild, as Google mentions that usually in the release announcement.
The Android version includes stability and performance updates according to Google. It is unclear if security issues were patched in the Android version as well; none are mentioned on the release blog post.
Most Chromium-based browsers are affected by at least some of these vulnerabilities as well. Expect other browsers, such as Microsoft Edge or Brave, to release security updates soon as well that address the issues.
Now You: When do you update your browsers?Advertisement