The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issues Google … [+]
AFP via Getty Images
The Cybersecurity and Infrastructure Security Agency is encouraging Google users to update again just weeks after the Chrome 80 release. Here’s what you need to know.
Earlier this month, version 80 of the Google Chrome browser was released. A release that caused something of an immediate kerfuffle with warnings that cookie changes could break stuff, and even potential new privacy concerns. But updating to a new version of Chrome brings more than just functionality upgrades, or downgrades depending on your viewpoint: it brings security fixes as well.
Google Chrome 80, for example, included no less than 56 such security fixes. As a “security guy,” my concerns over security tend to trump all else, and recommending that users implement updates as soon as possible is instinctive to me. Sure, juggle with those functionality and privacy issues, and choose another product if they wrangle too much, but don’t use an insecure browser. The U.S. Government has just issued some similar update now advice, also for Google Chrome, as there have already been more high-rated security vulnerabilities found and fixed since Chrome 80 hit our devices.
The CISA Google Chrome 80 ‘update again’ advice
The United States Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a notification that “encourages” users and administrators to update the Google Chrome web browser to version 80.0.3987.116. The new release for Windows, Mac and Linux users, addresses several high-rated vulnerabilities that could, the CISA warns, be exploited by an attacker to take control of the affected system. While it is unusual for a web browser to be updated so quickly after a major release, it is not unknown. In January, CISA issued similar update advice for users of Mozilla Firefox within days of the version 72 release.
Not a lot is known, publicly at least, about the vulnerabilities concerned. The Common Vulnerabilities and Exposures (CVE) numbers and very limited descriptions only appeared on Friday, February 21. According to the Chrome releases blog, “the stable channel has been updated to 80.0.3987.116 for Windows, Mac, and Linux, which will roll out over the coming days/weeks,” but “access to bug details and links may be kept restricted until a majority of users are updated with a fix.”
What is known about these new Chrome security vulnerabilities?
What is known is that this latest update has a total of five further security fixes in addition to the 56 that were part of the Chrome 80 release on February 4. At least three of the vulnerabilities have a high Common Vulnerability Scoring System (CVSS) rating, and were contributed by “external researchers.” One of which, CVE-2020-6383,was reported by a Google Project Zero researcher. This was a “type confusion” vulnerability, the Common Weakness Enumeration definition for which is that it occurs when a program accesses a resource using an “incompatible type” which can then “trigger logical errors because the resource does not have expected properties.”
The remaining two vulnerabilities, CVE-2020-6384, and CVE-2020-6386, earned bounty payments of $7,500 (£5,800) and $5,000 (£3,900) respectively. Google paid security researchers, or ethical hackers if you prefer, a total of $6.5 million (£5 million) for finding vulnerabilities in 2019.
CISA encourages users to apply the necessary updates
The Center for Internet Security (CIS) has also issued an advisory that warns of “multiple vulnerabilities in Google Chrome,” the most severe of which might enable arbitrary code execution within the context of the browser. Dependent upon the associated privileges, the CIS advisory warns, “An attacker could install programs; view, change, or delete data; or create new accounts with full user rights.” There are, however, no current reports of any of the vulnerabilities having been exploited in the wild. Yet. Which is all the more reason to follow the CISA advice which, “encourages users and administrators to review the Chrome Release and apply the necessary updates.”
You can check to see what version you currently have, and initiate an update if one is available, by going to Help|About Google Chrome.