Google releases security update for Chrome that is exploited actively

Martin Brinkmann
Nov 26, 2022
Updated • Nov 26, 2022
Google Chrome
|
24

Google published a security update for its Chrome Stable web browser that addresses a security issues that is exploited in the wild. Other browser makers who use Chromium, the core that Chrome uses, have released security updates as well already, or will in the near future.

Google released the update to the Chrome Stable channel, the Chrome Extended Stable channel, and for Chrome for Android. Chrome Stable's version increases to 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows, the Chrome Extended Stable version increases to 106.0.5249.199, and the Chrome for Android's version is 107.0.5304.141 after the update.

Desktop users of Chrome may run a manual check for updates to download the update immediately. All it takes is to load chrome://settings/help or select Chrome Menu > Help > About Google Chrome to do so. The page that opens displays the current version that is installed on the device and runs a check for updates. Any update that is found during the scan is downloaded and installed.

All updates address a single security issue in the browser. Google lists it as CVE-2022-4135: Heap buffer overflow in GPU, and assigned it a severity rating of high. High is second only to critical in the severity scale.

Google notes that the issue is exploited in the wild. Chrome users should update the browser immediately to protect the browser from potential attacks.

Google Chrome for Android updates automatically. There is no option to speed up the process, as Google Play lacks an option to run a manual scan for updates, similarly to how it is done on the desktop.

Google had patched 10 security issues in Chrome 107, which was released to the stable channel a few weeks ago. The search giant is testing a new security feature called Encrypted Client Hello (ECH) in Chrome Canary.

Brave updates as well

Brave Browser was one of the first third-party Chromium-based browsers to release an update that addresses the security issue. The release notes merely state that the browser has been updated to Chromium 107.0.5304.141, but the official Twitter account confirms that the update patches the security issue in the browser.

Brave desktop users may load brave://settings/help to display the installed version and run a check for updates.

Other browsers, including Microsoft Edge, Vivaldi or Opera, have no update available yet that addresses the security issue.

Now you: do you use a Chromium browser? Has it been updated yet?

Summary
Article Name
Google releases security update for Chrome that is exploited actively
Description
Google published a security update for its Chrome Stable web browser that addresses a security issues that is exploited in the wild.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. rand said on November 27, 2022 at 3:59 pm
    Reply

    I know that this is a bit off-subject, but: when I bought my new HP laptop and downloaded Chrome, it says ‘managed by your organization.’ But there is no organization. It’s a home computer. Never been used anywhere else or by anyone else. So, I can’t adjust some of the settings, like ‘use secure DNS.’
    Apparently, this is a wide-spread problem. I’ve read all the threads, with all their ‘solutions,’ but none of them work. It’s a real annoyance.
    Martin, can you, or one of your readers, offer a solution that works?
    Thank you,
    Rand

  2. Andy Prough said on November 27, 2022 at 12:45 am
    Reply

    What a surprise. A month ending in Y, H, L, E, T, or R with a Chrome zero-day exploit.

    What we need now is more blog posts from Google-funded security “experts” to tell us “Ak-shually, Chrome is the most secure browser ever made”.

    1. Iron Heart said on November 27, 2022 at 6:34 pm
      Reply

      @Andy Prough

      Firefox has weaker exploit mitigations but is hacked less at the same time since it’s more or less irrelevant.

      Not that hard to understand.

      1. Jody Thornton said on November 29, 2022 at 11:58 am
        Reply

        @Iron HEart:

        Notice that has needed to be re-explained once every two weeks to Andy? Yet he cites how much more secure Pale Moon is – which would be GREAT if it worked on all common web sites.

      2. Iron Heart said on December 1, 2022 at 8:03 am
        Reply

        @Jody Thornton

        These geniuses have done the same thing in the more recent Chromium-related article. Totally not obvious that it’s shilling. :D

      3. Brotherhood of Google Fanboys said on November 28, 2022 at 2:16 am
        Reply

        If brother Iron Heart says Chrome is more secure than Firefox, then do not ask why, do not ask for proof. Accept his and brother Madaidan’s word as truth. This is because they know the truth, just like they know the sky is blue and water is wet. Google is infallible, all who are wise and pious accept this.

      4. Iron Heart said on November 28, 2022 at 9:10 am
        Reply

        @Hitomi

        > Yeah yeah madaidan and twitter posts from 2014. Sure relevant today with a Rust based fox!

        Reality-based fox:

        > Last edited: March 19th, 2022

        > Firefox does have some parts written in Rust, a memory safe language, but the majority of the browser is still written in memory unsafe languages, and the parts that are memory safe do not include important attack surfaces, so this isn’t anything substantial, and Chromium is working on switching to memory safe languages too.

        From the source that the r/firefox crew hates the most: _https://madaidans-insecurities.github.io/firefox-chromium.html_

        @Brotherhood of Google Fanboys

        You see, that is the beauty of open source, if you will. Both Chromium and Firefox are open source. What does that mean? It means you can go look at the code yourself and verify whether or not the things Whonix developer madaidan says are true. If you find his statements to be false, you can write a counter-analysis, providing your own evidence based on the code. No faith or piety or higher wisdom required, it’s all there for you to check. I am eagerly waiting for your counter-analysis, and have been waiting for years.

        Listen, I know that you are here to evangelize for Firefox, and I know that this article is a thorn in your side. But making false claims or ridiculous assertions in response is not helping your cause. You would be far more credible if you had an analysis of your own, some fact-based statement to make. But you don’t, you only have bullshit retorts to offer sadly.

      5. Hitomi said on November 28, 2022 at 11:24 am
        Reply

        A speedy recovery!

      6. Iron Heart said on November 28, 2022 at 12:37 pm
        Reply

        > A speedy recovery!

        Will probably need it considering the sheer amount of bullshit here, including yours.

      7. SameSh!tOverAndOver said on November 28, 2022 at 5:59 pm
        Reply

        You, “Iron Heart”, is THE absolute Master of said bullshit.
        “Firefox has weaker exploit mitigations but is hacked less at the same time since it’s more or less irrelevant.”

        Firefox seems to be VERY fu<king relevant to you.

      8. Iron Heart said on November 28, 2022 at 10:24 pm
        Reply

        > Firefox seems to be VERY fu<king relevant to you.

        LOL, I did not bring it up here, did I? It was the usual Firefox evangelists. I just responded to the usual drivel.

        I guess the state of your comment is what you end up with if there is no argument to be made here.

      9. Andy Prough said on November 29, 2022 at 1:28 am
        Reply

        >”LOL, I did not bring it up here, did I? It was the usual Firefox evangelists.”

        The timestamps clearly show that the first one to bring it up on this entire page was you. It was not mentioned at all in either the article or any comments before your first comment.

        It would appear that SameSh*t may have a valid point.

      10. Iron Heart said on November 29, 2022 at 7:53 am
        Reply

        @Andy Prough

        You are massively shilling for Firefox or Firefox-based projects here on gHacks any chance you get and when you purposefully come here, under a completely unrelated article, to voice your pseudo-complaints about a product you don’t use, it is abundantly clear which direction the wind is blowing from, not least because FF is the only multiplatform alternative to Chromium or Chrome anyway.

        “But, but… I didn’t explicitly mention Firefox here! See! You did! My motives are pure, and the other fanboy supporting me is right!” – Not sure gHacks readers are stupid enough to buy into this. Maybe they are, maybe they aren’t. It’s a gamble, are we as silly as you are or can we see right through you? Hm, which is it, “Andy”?

      11. Anonymous said on November 29, 2022 at 7:48 am
        Reply

        That seems to be a common theme here, when there is an article on something Google related try to divert attention away from it to something else.

      12. Hitomi said on November 27, 2022 at 10:25 pm
        Reply

        Nice try to give it a spin to make Chrome appear more safe. Yeah yeah madaidan and twitter posts from 2014. Sure relevant today with a Rust based fox!

        :^)

  3. Bill said on November 26, 2022 at 2:57 pm
    Reply

    What do you mean that Google Play lacks an option to scan for updates?? There are at least two methods in the menu structure for updates scanning.

    1. Martin Brinkmann said on November 26, 2022 at 3:47 pm
      Reply

      There is no option to definitely get an update for an app, if it is released, as far as I know.

      1. Yash said on November 26, 2022 at 6:51 pm
        Reply

        And that is the case indeed, MartinB.

      2. John G. said on November 27, 2022 at 9:03 am
        Reply

        Three differente ways to update apps (Chrome) in Android:
        1) go to Play Store, apps, seek for updates, read the list and update one by one or all at once.
        2) go to settings, apps, touch in one, go to bottom (details of app at store), touch it and just see if it appears the button “update” in the app description, do finish touching it to proceed the installation of the update.
        3) open Chrome, go to options, more, seek the button “update”. If there is no button, there is no update available.

  4. Peter said on November 26, 2022 at 2:49 pm
    Reply

    “Other browsers, including Microsoft Edge, Vivaldi or Opera, have no update available yet that addresses the security issue.”

    Vivaldi had released updates to desktop stable and android BEFORE you even posted this article.

    1. John G. said on November 26, 2022 at 2:56 pm
      Reply

      Have these updates of Vivaldi fixed the security issue related to this article?

      1. Jek Tono Porkins said on November 27, 2022 at 9:43 am
        Reply

        I just checked, no, it hasn’t.

        https://vivaldi.com/blog/desktop/minor-update-five-5-5/

        The following improvements were made since the fourth 5.5 minor update:

        [Chromium] Upgraded to 106.0.5249.203 (CVE-2022-4135)

      2. altug said on November 28, 2022 at 8:53 am
        Reply

        Well, according to release notes, it fixes exactly CVE-2022-4135 which is the one mentioned in the article.

        Additionally, chromium version in the new Vivaldi 5.5, namely 106.0.5249.203, is further than Chrome’s extended stable version 106.0.5249.199.

        Not sure, but I guess this is the fix, no?

  5. John G. said on November 26, 2022 at 7:46 am
    Reply

    I use Edge Chromium as secondary browser, it’s the most complete of them all. Thanks for the article! :]

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.