Update Google Chrome now to fix these three urgent security flaws

Chrome VPN
(Image credit: Future)

Google has updated the desktop version of its Chrome browser for Windows, Mac and Linux yet again, pushing the version number to 90.0.4430.93 and fixing nine security flaws, at least three of which merit the "High" severity rating.

Unlike some of the other Chrome security updates of the past two months, there are no patches this time for "zero-day" flaws under active attack by hackers. But because the bad guys can often figure out what the vulnerabilities are by analyzing the changes in the code, it's best to update your Chrome browser now.

In Mac or Windows, simply click to the three vertical dots at the top right corner of the browser window, scroll down and highlight Help and click on "About Google Chrome" in the fly-out menu that appears. 

A new tab will open; it will either tell you that your build of Chrome is up-to-date or download the new version, after which you have to relaunch the browser.

Linux users generally have to wait until their distributions of choice push out Chrome updates along with the rest of the regular software updates.

Because Chrome shares its underpinnings with Brave, Microsoft Edge, Opera and Vivaldi, among others, those browsers will eventually need to be updated as well. 

In Brave and Edge, click the settings icon in the top right corner, scroll down and hunt for "About." In Opera and Vivaldi, click the browser logo in the top left corner.

However, as of this writing Wednesday afternoon (April 28), only Brave had been updated to match Chrome with version 90.0.4430.93. 

Opera was still based on Chromium 90.0.4430.85, and Vivaldi on Chromium 89.0.4389.128. Edge uses slightly different version numbers, but plugging "edge://version" into the address bar tells us that its current version is based on Chromium 90.0.4430.85.

Stay in your sandbox, kid

One of the most severe flaws fixed in the new version of Chrome involves a problem with the V8 JavaScript engine, also the crux of two well-publicized flaws fixed earlier this month. 

Like those, this new flaw is harmless unless the browser has "sandboxing" turned off, in which case it can be used to take over the computer's operating system.

Researcher Gengming Liu of Singular Security Lab disclosed this flaw to Google on April 15 and will collect $15,000 as a "bug bounty" for his discovery.

Most Chromium-based browsers have sandboxing turned on by default. But desktop applications that use Chromium, such as those for Slack, Discord, Spotify, Bitwarden, WhatsApp, Twitch, Microsoft Teams, Skype and other services, may have sandboxing turned off. So keep an eye out for updates for those apps.

The other two high-severity flaws discovered by outside researchers — Google waits to disclose flaws found in-house — were a use-after-free memory vulnerability in Dev Tools found by a Microsoft researcher, and a heap-buffer overflow (also a memory issue) in the ANGLE graphics engine. Further details on those flaws were not yet available.

By our count, this is the eighth Chrome for desktop security update in the past two months, and the fourth in the past two weeks. The Chrome/Chromium developers have certainly been busy; the upshot is that their efforts have made the browser(s) very safe to use.

Here's a list of the most recent Chrome/Chromium updates, if you're interested.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.