Chrome 97 update fixes 26 vulnerabilities (1 critical)
Google released a new version of its Chrome web browser to the public. The new version of the web browser, Chrome 97.0.4692.99, is a security update that addresses 26 different issues in the browser, including one rated critical. Chrome Extended Stable has been updated as well to address the issues.
The Extended Stable is updated to a new milestone release every 8 weeks. It is designed for organizations and Enterprise customers mainly, but available for everyone.
Chrome 97.0.4692.99 and Chrome 96.0.4664.174 are already available. Google rolls out new versions over the course of days and weeks, using Chrome's automatic updating functionality for it.
Chrome users who want the updates early can run manual checks for updates. All it takes is to select Menu > Help > About Google Chrome to start the process. Chrome displays the current version and runs a check for updates. The browser should pick up the new version during the scan to download and install it. A restart is required to complete the process.
Blog posts on the Chrome Releases blog list all externally reported security issues that Google addressed in the Chrome update. One vulnerability, CVE-2022-0289, is rated critical, the highest severity rating.
[$NA] Critical CVE-2022-0289: Use after free in Safe browsing. Reported by Sergei Glazunov of Google Project Zero on 2022-01-05
[$20000],[NA] High CVE-2022-0290: Use after free in Site isolation. Reported by Brendon Tiszka and Sergei Glazunov of Google Project Zero on 2021-10-15
[$20000] High CVE-2022-0291: Inappropriate implementation in Storage. Reported by Anonymous on 2021-12-19
[$17000] High CVE-2022-0292: Inappropriate implementation in Fenced Frames. Reported by Brendon Tiszka on 2021-11-16
[$15000] High CVE-2022-0293: Use after free in Web packaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-30
[$10000] High CVE-2022-0294: Inappropriate implementation in Push messaging. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-11-23
[$10000] High CVE-2022-0295: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-09
[$7000] High CVE-2022-0296: Use after free in Printing. Reported by koocola(@alo_cook) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-30
[$5000] High CVE-2022-0297: Use after free in Vulkan. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
[$TBD] High CVE-2022-0298: Use after free in Scheduling. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-25
[$TBD] High CVE-2022-0300: Use after free in Text Input Method Editor. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-01
[$NA] High CVE-2022-0301: Heap buffer overflow in DevTools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-12-03
[$TBD] High CVE-2022-0302: Use after free in Omnibox. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2021-12-10
[$TBD] High CVE-2022-0303: Race in GPU Watchdog. Reported by Yi?it Can YILMAZ (@yilmazcanyigit) on 2021-12-22
[$TBD] High CVE-2022-0304: Use after free in Bookmarks. Reported by Rong Jian and Guang Gong of 360 Alpha Lab on 2021-12-22
[$TBD] High CVE-2022-0305: Inappropriate implementation in Service Worker API. Reported by @uwu7586 on 2021-12-23
[$NA] High CVE-2022-0306: Heap buffer overflow in PDFium. Reported by Sergei Glazunov of Google Project Zero on 2021-12-29
[$2000] Medium CVE-2022-0307: Use after free in Optimization Guide. Reported by Samet Bekmezci @sametbekmezci on 2021-12-21
[$2000] Medium CVE-2022-0308: Use after free in Data Transfer. Reported by @ginggilBesel on 2021-12-24
[$TBD] Medium CVE-2022-0309: Inappropriate implementation in Autofill. Reported by Alesandro Ortiz on 2021-08-17
[$TBD] Medium CVE-2022-0310: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
[$TBD] Medium CVE-2022-0311: Heap buffer overflow in Task Manager. Reported by Samet Bekmezci @sametbekmezci on 2022-01-03
Google does not seem to be aware of attacks targeting any of the vulnerabilities, as it usually reveals if that is the case in the blog posts on the Chrome Releases blog.
You can check out the Stable and Extended Channel announcements by following the links.
Now You: when do you update your browsers?
“When do you update your browsers?” When Martin spreads the word about a new update being available! ;)
On my laptop I have both Chrome and Vivaldi Snapshot setup to only manually update. Firefox (primary) set to notify.
Another zillion security holes patched.
Chrome has the most security vulnerabilities of any browser.
At least Google’s bounty system is working, LOL.
“Chrome has the most security vulnerabilities of any browser.”
The most discovered and fixed vulnerabilities you mean. Would you feel safer if they never came to light?
“when do you update your browsers?”
Chrome is a freakshow. More “vulnerabilities” “”fixed”” every other version. Just check this list after years since snapping the chromium code and all those “genius” devs, engineers, etc.
Still using Netscape Navigator…
I hope you’re joking. I can’t tell.
First I’ve heard of Chrome Extended Stable. Interesting it’s a whole version behind but still OK to use. IDK if a bunch of Chrome’s glopware is missing from this edition, similar to FF ESR but it’s still OK.
I update my stripped version of Chromium whenever I think of it, not often. FF is manually updated whenever an update is released unless there’s evidence of issues.
Just a minor and perhaps obvious clarification: A (browser) restart is required to complete the process.
Edge is following with the same security holes.
All Chromium based browsers are following all these security holes. Chrome, Edge, Brave, Vivaldi, etc. If it’s Chromium based, it gonna get hit! Plus they are worse off because Chrome updates, and publishes it, but all the other browsers take more time, and that give hackers time to try to exploit them.
Edge specifically can sidestep the issue thanks to Microsoft defender application guard (which essentially runs the entire browser inside of its own VM), but other chromium browsers (with the exception of Chrome) do have the issue of being downstream.
Chrome does not have more vulnerabilities than other browsers, however it has a lot because it’s widely used by millions of people around the world and this is the reason to discover so much of them. Chrome works like a charm to browse for unknown websites because is extremely robust, however Fiferox is my preferred choice for trusted sites (e.g., online chat, online shopping and goverment sites (despite its weird dark/light mode management, ugly as hell). :]
Hi Martin. I couldn’t help but notice Google Chrome now has the Extended Stable release channel but try as I might I have not found where to download this version yet. Any ideas? Thanks.
Using Chrome search I found https://support.google.com/chrome/a/answer/6350036#zippy=%2Cset-chrome-browser-to-a-specific-release-channel . Perhaps there is is a simpler better answer hiding somewhere.
Brave for Desktop now upgraded to Chromium version 97.0.4692.99:
Brave for Android still stuck out in the cold and lonely at the earlier vulnerable version.