Google Chrome 120 update fixes 9 security issues
Google released the weekly security update for its Chrome web browser a few hours ago. The update for Chrome Stable and Chrome Extended Stable fixes nine unique security issues in the browser. Since it is a point update, it does not introduce any non-security changes in the browser.
Chrome users may want to update the web browser as soon as possible. While Chrome supports automatic updates, these may take days or sometimes even weeks before they are pushed to all installations.
The best way to update immediately is to load chrome://settings/help in the browser's address bar. Chrome displays the version of the browser and checks for updates. If an update is found, it will be downloaded and installed automatically. A restart is required to complete the process.
The update is available for all desktop versions of Chrome as well as Chrome for Android. One of the following versions should be displayed after the successful update installation:
- Chrome for macOS, Linux or Windows: 120.0.6099.109
- Chrome Extended for macOS and Windows: 120.0.6099.109
Google released Chrome 120 Stable last week. Besides security fixes, Chrome 120 did introduce several non-security changes. Notable is the dropped support for Android 7 Nougat devices, a new proactive Safety Check feature, the sending of URL-based signals as part of the browser's Permission Suggestion Service, and the ability to share passwords to other members of a Family Group account.
Google Chrome 120
The Chrome security update patches nine security issues in the browser. Six of the nine security issues are listed on the official Chrome Releases website. The three undisclosed vulnerabilities were detected internally by Google. Google never reports internally discovered vulnerabilities publicly.
Here is the list of disclosed vulnerabilities:
- [$16000][1501326] High CVE-2023-6702: Type Confusion in V8. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2023-11-10
- [$7000][1502102] High CVE-2023-6703: Use after free in Blink. Reported by Cassidy Kim(@cassidy6564) on 2023-11-14
- [$7000][1504792] High CVE-2023-6704: Use after free in libavif. Reported by Fudan University on 2023-11-23
- [$7000][1505708] High CVE-2023-6705: Use after free in WebRTC. Reported by Cassidy Kim(@cassidy6564) on 2023-11-28
- [$6000][1500921] High CVE-2023-6706: Use after free in FedCM. Reported by anonymous on 2023-11-09
- [$7000][1504036] Medium CVE-2023-6707: Use after free in CSS. Reported by @ginggilBesel on 2023-11-21
All but one have a severity rating of high, which is second only to critical in terms of severeness. Most patches address use after free vulnerabilities in various components, including WebRTC, libavif and CSS. There is a single type confusion in V8 issue listed as well.
Google makes no mentions of exploits in the wild. This means that the company is not aware of exploits that target the fixed vulnerabilities actively at the time. There is a possibility that exploits will be created after the release of the update, which is one reason for updating Chrome as soon as possible.
Now You: do you use Google Chrome?
Just updated Chrome to 120.0.6099.110. Windows 10 (64bit). Tried this yesterday and it said 120.0.6099.71 was up to date.
9 security updates…
3 new features that break your workflow…
142 new methods to fingerprint your browser, sell you crap you don’t want and steal your data.
Brave is quickly updated as well, but I find it disturbing they are so lazy updating their release note page, as of writing this post there still is no mentioning on what kind of changes was done to my latest Brave update.
https://brave.com/latest/
Chrome 120.0.6099.109 is NOT available for Windows at least.
Correct it’s the 120.6099.110 version that is avalibel for Windows
I haven’t received an update yet, either, and I’m not the only one based on a search I did on the internet. If there are security problems why not allow the update to the new version (like Edge does).
“weekly security update”??? Really? Can we please release stable non-crapware? Let’s stop using the entire user base as beta testers.
@tinarse every software has security issues…
So what would you rather do? hold the updates as before and just update couple times a week?
Google decided for weekly updates now, which is not too bad, the only thing people need to do is to update and done.
Same with the Fork maintainers, update and done, maybe this way it will be clear which forks will survive and are serious project and which are just hobby project.
You can also choose not to update Chromium, a firewall would probably be enough for that.
So what’s the issue here? it brings more security to Chromium browsers, I mean, there is a reason why bounty programs exist and why people would find every security issue in Chromium.
Yes, really. That’s the price you pay if you are the most used browser and virtually competition-less, the bad guys are also focusing on you. Competitor browsers are not more secure just because they are less attacked, that’s just the favorite fallacy of the gHacks comment section.
You can see it with Andy Prough, he recommends to use an obscure, rebranded Firefox rebuild instead, produced by a literal who. Surprised that he hasn’t recommended Pale Meme seeing how he is very active on their forums as well. Also some misleading info re. Debian, if Chromium were impossible to build, I wonder how Brave Software, Vivaldi Technologies, Opera ASA etc. do it on a regular basis. What are they doing different from Debian, and why does Debian do it at all, seeing how Chromium doesn’t even ship with the distribution? Questions, you see, my guess is that dear Andy just made it up out of thin air. Also some misinfo regarding bug reports, literally anyone can open a bug report, including literal whos like our Andy here. Sometimes users misuse them for questions and sometimes the forms are incomplete or insufficient information is being provided, there are duplicates, some of them don’t even report actual bugs in the first place etc. etc. etc. Firefox has a large backlog as well for which the same things are true.
“obscure, produced by a literal who”
You mean like the lunduke and madaidan clickbait articles you constantly spam?
“if Chromium were impossible to build, I wonder how Brave Software, Vivaldi Technologies, Opera ASA etc. do it on a regular basis.”
F-Droid also does not build any Chrome clones. All the browsers you mentioned are made by corporations with large development teams, compared to the open source projects like Fennec, Librewolf, Mull, etc.
>”You can see it with Andy Prough, he recommends to use an obscure, rebranded Firefox rebuild instead, produced by a literal who.”
IceCat has been produced by the GNU project for many years and is very well known for its security and privacy hardening of Firefox. It’s more widely known and respected than Brave, for instance. And since you asked, yes, it can be downloaded for GNU/Linux, Mac and Windows at icecatbrowser[dot]org
>”Surprised that he hasn’t recommended Pale Meme seeing how he is very active on their forums as well.”
I would recommend Pale Moon, but in this case Pale Moon does not try to pass itself off as a hardened security browser, so it’s not an answer to @tinarse’s question.
>”Can we please release stable non-crapware?”
I don’t think so, not with chromium as the base, the code is a complete mess. Recently Debian could not get it to build stably for nearly a full year. Last I checked there were over 14,000 bug reports that had never been triaged by anyone. Not only are you beta testers, but when you do your beta testing job and file a bug report, no one is bothering to read it or to take any action much of the time.
If you wanted stability, you might try using IceCat, which is a hardened security and privacy fork of Firefox’s extended support release.
I attempted a manual update of Windows Chrome from *.71 to *.109 but it is either not available yet, or has been pulled.
Chrome under latest stable Windows 11 was successfully manually updated to
Version 120.0.6099.110 (Official Build) (64-bit) at 18:52 EST.
I’m in the same situation. Nothing new, still on 120.0.6099.71 (Official Build) (64-bit)