Google releases another emergency security update for Chrome
It is time to update Google Chrome again. Google has just released an emergency security update for its Chrome web browser that addresses a security issue that is exploited in the wild.
The update is available for desktop versions of Google Chrome and for Chrome on Android. Users are advised to update as soon as possible to protect their devices from potential attacks that target these vulnerabilities.
Chrome desktop users may load chrome://settings/help directly in the address bar, or select Menu > Help > About Google Chrome, to display the installed version. The browser runs a check for updates when the page is opened to download the latest update that it finds. A restart of the browser is required to complete the process. On Android, updates are handled by Google Play.
Once updated, the following versions should be listed on the About Google Chrome page:
- Google Chrome for Windows: 112.0.5615.137 or 112.0.5615.138
- Google Chrome for Mac or Linux: 112.0.5615.137
- Google Chrome for Android: 112.0.5615.135 or 112.0.5615.136
Google Chrome 112: security update
Google lists five of the eight security issues that it fixed in the latest Google Chrome update on the official Chrome Releases blog. Information about security issues that it detected internally are not revealed to the public.
The five security issues include the issue that is exploited in the wild. Here is the listing:
- [$8000][1429197] High CVE-2023-2133: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
- [$8000][1429201] High CVE-2023-2134: Out of bounds memory access in Service Worker API. Reported by Rong Jian of VRI on 2023-03-30
- [$3000][1424337] High CVE-2023-2135: Use after free in DevTools. Reported by Cassidy Kim(@cassidy6564) on 2023-03-14
- [$NA][1432603] High CVE-2023-2136: Integer overflow in Skia. Reported by Clément Lecigne of Google's Threat Analysis Group on 2023-04-12
- [$1000][1430644] Medium CVE-2023-2137: Heap buffer overflow in sqlite. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2023-04-05
External security researchers get a bug bounty when they report security issues to Google and other browser developers.
Security issue CVE-2023-2136 is exploited in the wild, according to Google. Public information is limited at this point, but Skia refers to a component of Chrome that is responsible for "nearly all graphics operations, including text rendering" according to the Chromium design documents.
Users who run other Chromium-based web browsers should pay attention to updates for their browsers, as these are also affected by the security issue. Expect updates for Edge, Brave and other browsers soon.
The security update is the second update for Chrome 112 that patches a security issue that is exploited in the wild. The previous update was released on April 15, 2023.
Chrome on Android update has only just come through in the recent several hours. Frustratingly, the equivalent update for Brave on Android is nowhere to be seen in Google Play yet I must wholeheartedly grumble.
@Jim, [ https://github.com/Alex313031/Thorium-Win/releases/tag/M109.0.5414.139 ]
“M109 Windows 7, Windows 8, Windows 8.1 maintenance release
As promised, here is a maintenance release of Thorium M109 for Windows 7, Windows 8, Windows 8.1!
Backported some stuff, and bumped minor rev number 109.0.5414.120 > 109.0.5414.139 which includes security fixes from upstream Chromium.
– Compiled with Polly enabled;
– Pre-compiling of inline scripts enabled;
– Added “Ctrl+Shift+Q” keyboard shortcut to close all windows.
Backported more optimization flags for V8, Chromium’s Javascript engine, from the M111 release.
Backported five new new chrome://flags flags from the M110 & M111 release:
– chrome://flags/#force-gpu-mem-available-mb – set available VRAM to be used by Thorium. Options are 128, 256, 512, and 1024 MB. Useful for systems with very low or very high video memory. The default (if unset) is 512 Mb.
– chrome://flags/#enable-native-gpu-memory-buffers – enable native CPU-mappable GPU memory buffer support on Linux. (Linux only) You can see the effect of this on chrome://gpu in the “GpuMemoryBuffers Status” section.
– chrome://flags/#double-click-close-tab – a flag that @gz83 came up with and we both implemented. Allows you to close a tab by simply double-clicking on it, similar to an option in Vivaldi.
– chrome://flags/#show-fps-counter – show a F.P.S. counter on each display, which also shows used/available GPU memory. Useful for Web development.
– chrome://flags/#media-router to enable/disable the media router, i.e. for Cast.
– Logo has had padding removed, and a new logo was created for the windows installer.exe.
– Thorium mascot image added to chrome://version page, under the copyright (for fun).”
Google no longer allows Windows 7 systems to upgrade, *those VMs will sit with 109.0.5414.120 in perpetuity – no loss. Chrome’s always been a data logger and anyone patient enough to read the long disclaimer accepts that any information passed through is property of Google. It’s not news though, many companies still block Chrome for that reason.
I disagree with @MARTIN BRINKMANN’s title that it’s an “emergency security update”.
This update was scheduled to be released on 18.04.2023.
The next early stable release is scheduled to be version 113 on 26.04.2023. The stable release of version 113 is scheduled to be released on 02.05.2023.
And yet, Google managed to squeeze another emergency zero-day flaw into their release schedule. They are like magic that way.
I like Chrome for its minimalist user interface. It’s pretty obvious that any Chromium based browser is affected by these vulnerabilities. But its always Chrome that gets the press. Since most browsers except for Firefox and Safari use Chromium, it is expected to see it as a big target. I still will continue to use Chrome because I feel Google does stay on top of these security threats.
I write this comment with no aim to generate discussion nor to start an unusual trolling thread here (lol). I can’t remember which was the first Chrome version that I used for the first time, however I remember clearly like the water that Chrome has never give me a single problem updating it, neither using it. And I am a Chrome user since 2011 more or less. I am also a Firefox user due to it’s still required by a few official sites and some goverment sites too to pay taxes and so forth. And mostly because my father is the man who I know that uses Firefox since I have memories, from the times of Netscape (lol, such a long time I guess).
Why do I use Chrome? Because it always works. Now I am here with my friends just to figure out why Firefox 112.0.1 is unable to show the sites like the Firefox 102.0.10 ESR does. This is not the first that we do this, because with Firefox you can never be sure of what will happen when installed an update, an upgrade or whatever they have released. One version will f*** off a website, then next update fixed it however it breaks other site, and so forth. The never ending history of Firefox, it has been always the same for me. So why I use Firefox? Because it’s the only bridge to some good practices on the web, privacy and some other morality stuff that is shown here more or less every week. Chrome has reach the numbers it has because Firefox is very daring to do weird experiments and unsolicited innovations that don’t quite work as its development team supposed to do. As my father says quite often with sadness, “Firefox is very stable in its great inconstancy”. Just my two cents, here there are readers that have more knowledge than me and I read them with some attention. Thanks for the article!
@John G.
Brave = Chrome without the spying.
Agree. Brave works quite well.
@ Iron Heart
I noticed that you don’t post here as often any more. I enjoy your comments and insight. Do you post any where else?
@Anonymous
Nice to read that someone misses me, haha. I don’t post here as often anymore because a) this website sucks now and b) because half of the comments here are trolls who post utter nonsense, under the select few articles that have any comments whatsoever, I mean.
And I do not post anywhere else currently. I quietly observe several advanced privacy communities and I have adjusted my own setups accordingly, without talking about it here or elsewhere.
@ Iron Heart
Will you share those sites?
Not by default. Disable following features
Use Google services for push messaging
Make sure secure DNS is not set to Google
Allow Google login for extensions
Allow privacy-preserving product analytics (P3A)
Automatically send daily usage ping to Brave
Improve search suggestions
Wallets
Autofill
Web Discovery Project
and Google safe browsing if you’re extra paranoid, but you risk getting malware.
Theres a few more I can’t remember.
@Jody Thornton
Half of those aren’t even related to Google. And when they are, the connection is proxied. For example: Google push messaging or SafeBrowsing, are getting proxied by Brave Software. That being said, if you are using none of these functionalities, turning them off is what you should be doing of course. Because, less outgoing connections is better. Always.
With Firefox updates I try to hold it for a week before updating the browser. Never had any issue on Firefox following that approach. And yes you can say well what about security? Again there are security issues but you have to take into account – are you affected by it? Generally good privacy setting coupled with privacy add-ons can hold on for a week in terms of security before updating the browser.
Really silly comment – have been “daily driving” firefox for about a year now – not encountered any issues which were the browser’s fault. Also used Chrome a lot up until 5 months ago… couldn’t tell you that one is more stable than another.
The only things I prefer is how managing “downloads” works in Chrome, and how easy it is to parse “history.db” – on Firefox both of these tasks are more of a pain – no other difference noted. Oh, right – if I don’t like some stupid icon/button and it clutters my view, I couldn’t always remove it in chrome, but in firefox you always can.
You are being overly dramatic – the browser is fine and stable.
@basingstoke, I am not the culprit that Firefox has lost more than 50M users in two years. And imho Firefox is not stable as it could be according to the number of people maintaining it because is open code, so everyone can say whatever the bug and the solution. ESR branch is stable, normal branch clearly isn’t. I had at least one major issue with normal Firefox per month until I decided to use it only occasionally for very few purposes. Anyway, I like computers and I like to test every new version of Firefox to see how it works. FF fine? Yes. FF stable? Nope, every new release has something broke. And I mean every new one, by experience.
@basingstoke, I have FF ESR in Ubuntu, and FF normal in my laptop. And I see the long difference of how the two branches work. I don’t know if you have the choice to use both branches to compare the good and the bad things of each one. My good words are always for Firefox ESR, you can seed along whole Ghacks and you won’t find a single bad word about Firefox ESR. However the normal branch sincerely has pissed me off some times unfortunately.
If you really want to relive the your Netscape days, try using Seamonkey, use the classic theme.
@Jek they/them Porkins, I was only a child when my father used the Netscape browser, furthermore I still hear in my mind the modem ring tones and its weird sounds, such great remembers of my young father waiting hours to receive videos or images! Times goes by, and indeed my father uses sometimes Seamonkey for chat and mail. :]
PS., my friends and me have finally found the problem with Firefox 112: a broken profile.