Google Chrome just patched urgent security flaws — what to do right now
Seven serious flaws fixed in latest update
Google has pushed out yet another security update to the desktop version of Chrome browser on Windows, Mac and Linux, the fourth such update in the past three weeks.
The new version of Chrome and its Chromium open-source underpinnings is labeled 90.0.4430.85 and was released late yesterday (April 20). It patches seven security flaws, including one "zero-day" (sort of) flaw that was disclosed in the wild before Google had a chance to fully patch it.
- Chrome and Edge hacked by new zero-day flaw — what to do
- The best internet security suites to protect your Mac or PC
- Plus: New iMac 2021 release date, price, specs, colors, keyboard and more
That vulnerability, which turned out to be not quite a zero-day flaw, appears to be the same as one disclosed on Twitter in the middle of last week, as opposed to a different zero-day(ish) flaw posted on Twitter at the beginning of last week.
How to update Chrome
Updating Chrome is easy on Windows or Mac. The browser will automatically update itself when it launches, so you can just close and then relaunch it to trigger that process. On Linux, you'll likely have to wait for your distribution's next batch of updates.
To make certain Chrome has been updated, click the three vertical dots at the top-right of the browser window, move your cursor down to "Help" and click "About Google Chrome" in the fly-out menu that appears.
A new tab will open. It either will tell you that your browser is up-to-date or will download the new version, in which case you'll need to relaunch the browser.
Dueling credits
Google's official Chrome Releases blog gave sparing details of the five security flaws discovered by outside researchers, if not the two found in-house. Three have to do with issues in the V8 JavaScript engine used in Chromium, including the one revealed online last week.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
That one flaw is assigned the catalog number CVE-2021-21224 and described as resulting from "Type Confusion in V8". Blog post author Srinivas Sista dryly noted that "Google is aware of reports that exploits for CVE-2021-21224 exist in the wild," normally the hallmark of a zero-day flaw.
Credit (and an as-yet-determined bug bounty) for that discovery goes to Argentine security researcher Jose Martinez of VerSprite Inc., whose hacker handle is "tr0y4".
Another person, a Chinese researcher calling himself "frust," posted a link on Twitter April 14 to code that would pop open the Notepad application if a malicious web page loaded in Chrome on Windows.
On Twitter last night, Martinez explained that he'd submitted his bug report to Google on April 5, as confirmed by the Google blog post.
Martinez said Google fixed the issue in the open-source V8 engine April 12 and made the changes public, which meant that people like frust could reverse-engineer the changes and then claim to have found a "zero-day" flaw.
hi haha right, I'm the original reporter. Timeline:5th April: I've submitted my bug to Google Chrome VRP report 12th April: I've submitted my RCE 0day exploit12th April: Google patched v8 engine, but also made regress/unittest public14th April: people viralized 1day exploitApril 20, 2021
The same thing happened with a previous flaw in V8 that had been disclosed by two European researchers who used it to win $100,000 at the Pwn2Own hacking contest earlier this month.
An Indian researcher observed the subsequent changes to V8 and declared his own "zero-day" flaw, but later walked back that declaration. That flaw was patched with Chrome/Chromium version 89.0.4389.128 on April 13.
A real zero-day flaw is one that the affected software's developers aren't even aware of before it appears in the wild, hence giving them "zero days" to fix it before it becomes public.
All this hacking and patching has resulted in a busy month for Chrome and Chromium developers. Here's a list of the updates since March 1:
- 4/20: 90.0.4430.85
- 4/14: 90.0.4430.72
- 4/13: 89.0.4389.128
- 3/30: 89.0.4389.114
- 3/12: 89.0.4389.90
- 3/05: 89.0.4389.82
- 3/02: 89.0.4389.72
How to update Edge, Brave, Opera and Vivaldi
Several other well-known browsers base themselves on Chromium, including Brave, Microsoft Edge, Opera and Vivaldi. As of this writing (12:45 p.m. New York time April 21), Brave was still on the previous version of Chromium, Vivaldi was two versions behind and Opera three versions behind.
Edge uses a slightly different numbering system, but it has been updated at least once since its last documented security update on April 16, so we can presume Edge is up-to-date.
Updating Edge or Brave is similar to updating Chrome. Click the settings icon on the top right of the browser window and scroll down looking for something marked "About" at or near the bottom of the menu. "About" may also be hiding in a "Help" fly-out menu.
In Opera and Vivaldi, start by clicking the browser icon at the top left of the window, then scroll down to "Help" and click "About" in the fly-out menu.
As with Chrome, the "About" tab will generate a new tab that will check for and install any available updates.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.