Google yesterday (Oct. 28) pushed out an update for Chrome on the desktop that fixes eight security vulnerabilities, including two serious "zero-day" flaws that are already under attack by hackers unnamed.
The update takes Chrome to version 95.0.4638.69 (opens in new tab) for Windows, Mac and Linux. Windows and Mac users can usually just relaunch the browser to install the update, while Linux users may have to wait until their distribution bundles the update into its regular update package.
- 70% of Wi-Fi networks are easy to hack — how to protect yourself
- The best internet security suites to protect all your devices
- Plus: Apple has urgent security fixes for iPhones, iPads, Macs — update now
Otherwise, you can force a Chrome update by clicking the three vertical dots at the top right of the browser window, then mousing down and clicking Help. Click "About Google Chrome" in the fly-out menu that appears, and a new tab will either tell you that Chrome is up-to-date or will download the update.
How these Chrome flaws can be exploited
We're going to guess that the first permits a web app to do naughty things, while the second permits a website to do the same. Google isn't saying anything further.
Because the reporters of these flaws all work for Google, they likely won't be getting any bug-bounty money. But external researchers will be for some of the other flaws patched, including Wei Yuan of MoyunSec VLab, who will net $10,000 for his discovery of a "use-after-free" bug in Chrome's sign-in protocol.
Use-after-free means that the memory space wasn't properly reallocated after the protocol finished using it, potentially allowing a malicious program to literally invade the space.
The other four described flaws also have to do with use-after-free issues, insufficient validation, V8 or some combination of those. Google isn't saying anything about the eighth vulnerability being patched.
Zero-days as far as the eye can see
Some other browsers that share the Chromium open-source underpinnings with Chrome have also updated to the new version, including Brave and Microsoft Edge. (Like Chrome, you can just relaunch those to update them.) Others, such as Opera and Vivaldi, are not quite there yet.
Google has patched more than a dozen zero-days flaws already in this exceptionally busy year. We're not sure if that's a good thing, indicating a greater share of flaws may be being found, or a bad thing that there may be more zero-days in general.
Here's a list of recent Chrome desktop updates.
- Oct. 28: 95.0.4638.69 (opens in new tab)
- Oct. 19: 95.0.4638.54 (opens in new tab)
- Oct. 7: 94.0.4606.81 (opens in new tab)
- Sept. 30: 94.0.4606.71 (opens in new tab)
- Sept. 24: 94.0.4606.61 (opens in new tab)
- Sept. 21: 94.0.4606.54 (opens in new tab)
- Sept. 13: 93.0.4577.82 (opens in new tab)
- Aug. 31: 93.0.4577.63 (opens in new tab)
- Aug. 16: 92.0.4515.159 (opens in new tab)
- Aug. 2: 92.0.4515.131 (opens in new tab)
- July 20: 92.0.4515.107 (opens in new tab)
- July 15: 91.0.4472.164 (opens in new tab)