Google released a second Chrome security update this week
Google published a new security update for the company's Chrome web browser that addresses three security issues in the browser. The new update comes less than a week after the release of Chrome 106, which addressed a total of 20 security issues in Chrome.
The new security update is available already. Chrome is updated automatically by default, but updates may happen days or even weeks after the release. It is better, often, to install the update manually to protect the browser against potential attacks targeting the security issues.
To do so, load chrome://settings/help in the browser's address bar or go to Menu > Help > About Google Chrome. Chrome displays the current version that is installed and runs a check for updates. The check will pick up the new security update and install it in the browser.
Once installed Chrome Stable should display version 106.0.5249.91 and Chrome Extended Stable should display version 106.0.5249.91, which can be checked on the Help page.
Google reveals that two of the reported security issues have a severity rating of high. High is the second-highest rating after critical. One security issue was detected internally, and that means that it is not revealed by the company to the public.
- [$7000][1366813] High CVE-2022-3370: Use after free in Custom Elements. Reported by Aviv A. on 2022-09-22
- [$10000][1366399] High CVE-2022-3373: Out of bounds write in V8. Reported by Tibor Klajnscek on 2022-09-21
Google makes no mention of exploits in the wild, but there is always the chance that the company has not detected them yet or that attacks begin after the release of the security updates for Chrome.
Chrome users may check the official announcements for Chrome Stable and Chrome Extended Stable, but they don't provide any additional details. other than a link to the update log, which lists changes meticulously.
Other Chromium-based browsers may post updates, as they may be affected by some of the reported security issues as well.
Now You: do you have Chrome installed on your devices?
Where is the Edge update ?
I have version 105.0.1343.53, however I hope they will provide the update before october 11th.
Why is it when there is a new security flaw found in Chrome, all the Chrome fanboys say, “wHat aBouT FiReFoX?”.
They are probably the same people that say, “What about Al Capone?” every time they get arrested.
Here FF 102 ESR and Edge Chromium. No problem! Thanks for the article. :]
People complaining about “chromium and security flaws and blabla” now tell me, how many people got affected by these so called Security risks?
When the answer is millions I will accept the complaints, until then, people are just being dramatic, especially the Firefox employees or (free) fanboys who seem to be around every browser post spreading the “but muh Firefox” spam… when in reality Firefox probably has way more security issues, but since nobody really cares about it then how is anyone going to care to find them?
With my browser I am sure I can run it with –no-sandbox and –disable-features=IsolateOrigins,site-per-process and nothing will ever happen, because most security risks have like zero probability of happening to 99.99999999% of people.
Anyway, share data how many people got affected by these all “September” and the other hundred security risks through the year and then the conversation (rants) will make sense, until then people just should move on and stop caring about what is not even affecting them.
Also, people seem to forget Chromium as a whole is way too big in market share so obviously the time invested trying to find issues is higher than the nobodys Firefox that is still alive because of Google’s almost half billion dollars for a fishy search deal (we know it has nothing to do with search).
@Barik
Agreed, The only people affected by “chromium and security flaws and blabla” were some journalists who were traitors to the state. We must ensure journalists remain loyal to the state and report only the news they are supposed to. They cannot just say what ever they want to. Your government appreciates your unconditional support Mr. Barik\Iron Heart.
https://www.bleepingcomputer.com/news/security/chrome-zero-day-used-to-infect-journalists-with-candiru-spyware/
Funnily enough, if you were smart enough to realise it, your comment and link proves what @Barik was saying…
@What news
Indeed, Chrome security flaws are not a big deal and nothing to worry about. The flaw was discovered by Avast and no additional zero days have been discovered since. Thank you for your unquestioning support. Big Brother is looking out for you.
So in bizarro Google fanboi land, a zero day exploit used to target journalists is a good thing because somebody at Avast eventually managed to find it?
You can play stupid elsewhere.
I only use ungoogled chromium (portable) as a secondary browser and only for a few websites. I do not have a lot of trust or confidence in anything based on chromium due to all these frequent security updates. Really makes it feel like the code base is bloated and full of holes like swiss cheese.
@Mothy
What are you going to use instead? Other browsers don’t even have the exploit mitigations Chromium has, and only have a nominally (not actual) lower security issue count due to them being comparatively irrelevant! “Irrelevant” is not the same as “secure” though.
You can also see it this way: Many more people are working with the Chromium codebase, so the likelihood of finding security issues is automatically higher. When they are fixed, this makes the codebase more secure. Many of these security issues are also low severity (example: exploitation requires physical access to your PC – highly unlikely scenario).
‘exploitation requires physical access to your PC’
I think biggest issue regarding exploitation in security bugs and why they are quickly patched is they can be exploited without physical access. It always looked that way to me.
That adds up to 59 total security flaws in the month of September. And one (known) zero-day exploit. That’s really really bad. Flash was killed for less frequent security issues than this.
If you are using any Google chromium code at all in any of your browsers you need to rethink what you are doing. Certainly think twice before using it for any online banking or transactions. At least make sure you apply any browser updates prior to doing online transactions or banking.
@Andy Prough
> Flash was killed for less frequent security issues than this.
Flash also was a much more limited codebase and had a much more limited range of functionality. This comparison does not get smarter the more often you post it. Browsers have OS-sized codebases.
> If you are using any Google chromium code at all in any of your browsers you need to rethink what you are doing.
The alternative is Firefox, a browser that does not even feature the exploit mitigations Chromium has: _https://madaidans-insecurities.github.io/firefox-chromium.html_
Or maybe Pale Moon, it’s what you use according to your forum profile there – a browser that is not even multiprocess, has no sandbox, where extensions run with the same privileges as the base application, and incidentally one of the last browsers that still supports Adobe Flash.
@Andy Prough knows nothing about security and is here to shill Firefox and Pale Moon.
>”The alternative is Firefox … and Pale Moon
Seems like we are basically in agreement. With Firefox, I wouldn’t recommend the default browser, but instead to use Firefox+Arkenfox, or Librewolf, or Trisquel’s Abrowser. They are all doing very similar things.
There’s also Netsurf, which I’ve used and I like, but its javascript engine is limited and it can’t render a lot of sites correctly.
And there’s WebKit. Of all the WebKit browsers I personally prefer Luakit. I can do a lot with Luakit – it has extensive built-in ad blocking and script blocking and plugin blocking, and its vim key-bindings are tremendous. Also, learning to re-configure Luakit using the Lua programming language is quite a bit of fun. If I wanted to get a teenager motivated to learn vim and to learn programming, I would be tempted to take away their Chrome browser and make them learn Luakit for a few months.
For people that just need a no-frills browser, links2 can run in a terminal emulator in graphical mode. You can see the images and the text on web pages, and you can throw audio and video to external programs like MPV or VLC. It does not have a javascript engine.
For people that just want to read text in a terminal emulator, the newsboat RSS feed reader is quite a powerful way to read your daily websites without using any browser engine or javascript at all. It also has the ability to hand off text, images, and multimedia to external programs through its ingenious built-in macro system.
@Andy Prough
> Seems like we are basically in agreement.
We agree that Firefox exists, we disagree on whether it should be used.
> With Firefox, I wouldn’t recommend the default browser, but instead to use Firefox+Arkenfox, or Librewolf, or Trisquel’s Abrowser. They are all doing very similar things.
They do similar things because they are the same browser, LOL. With LibreWolf and the other shit browser being rebrands / minor rebuilds of Firefox. Also, no, switching to Firefox would weaken user security, not strengthen it. Firefox is many years behind Chromium in terms of implemented exploit mitigations, read the article I linked to above.
> And there’s WebKit.
No WebKit-based browser outside of Safari is usable, the lack of extensions already kills that idea for good.
So you think I’m wrong and you recommend that people should do their online financial transactions with chromium based browsers without getting security updates first then.
It’s an interesting strategy.
@Andy Prough
> So you think I’m wrong and you recommend that people should do their online financial transactions with chromium based browsers without getting security updates first then.
I never said that anywhere in my comments.
You can play stupid elsewhere.
Edge Chromium is still far behind, vers.105.x . Not good, Microsoft.
Thank Google that they keep updating Chromium, if it was up to Microsoft, it would be still on WebKit, pre-Blink and not working on 99% of websites, like IE 6.
I have but it’s the third browser to go to for me. I have the Firefox 105 as the steady nr 01 workhorse for decades. The number two is Vivaldi.
Right now I am quite busy looking to replace Google before January 2023 even with the holy Google promise, to delay V2 his death up to 2024.
Right now I can decide between the new Waterfox G5.0 and the upcoming Brave 1.45.
I think Brave is a bit more sophisticated under the hood but scores with me, a bit less on the subject of friendly/smooth working with behavior.
Wasn’t Waterfox sold to some advertising company a while ago..? Making it totally useless.
Don’t really know much about Waterfox, but Brave would be a solid addition. I only use Firefox for all tasks now but from my personal experience Brave worked well. Granted its not as good as lovely trusted Fox but still very good.