Skip to main content

Chrome browser under attack — what to do now

Google Chrome
(Image credit: Shutterstock)

Chrome updates are generally interesting for new features, such as the new way to group tabs. But in the past few weeks, though, we've had more important reasons to update Chrome — your own security has been under attack, according to Google itself.

In a post on the Bitdefender Hot For Security blog, the security firm calls out Chrome version 86.0.4240.198, released yesterday (Nov. 11) for Windows, Mac and Linux, as a must download. The update addresses "two serious flaws," according to Bitdefender. 

On the official Chrome release blog, these flaws (tagged as CVE-2020-16013 and CVE-2020-16017) are ranked as "High" on their severity.

Chrome Technical Program Manager Prudhvikumar Bommana writes that Google is "aware of reports that exploits for CVE-2020-16013 and CVE-2020-16017 exist in the wild." 

In other words, someone is already using these flaws to attack Chrome users. From Bommana's limited descriptions, these flaws seem to affect the ways in which Chrome handles JavaScript and keeps websites' activities walled off from each other.

The links to the Chromium developers' blog regarding those two exploits are locked for now, meaning that Google doesn't want further details public yet, likely for safety reasons. 

As Bommana writes, "Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed." 

In other words, Google doesn't want more people to take advantage of these flaws, which almost certainly also affect other Chromium-based browsers such as Brave, Microsoft Edge, Opera and Vivaldi. 

These are the fourth and fifth "zero-day" flaws — vulnerabilities that are not known until hackers start using them — reported in Chrome in the past month, including one for Chrome on Android. While the previous three were all discovered by Google's own Project Zero team, Google credits these latest two to anonymous researchers.

Project Zero also found three zero-day flaws in Apple's iOS and one zero-day flaw in Microsoft Windows, all of which have now been fixed. Google has dropped hints that some or all of these flaws may be part of a state-sponsored espionage campaign.

How to update Chrome and similar browsers

This one's easy. All you need is to do is update Chrome, which anyone can do — even on computers whose admin rights are locked down by their employers, as I can attest. 

Here's how to do a manual Chrome update.

  1. Click the 3 dots on the top right corner of a Chrome window. (Or, click Ctrl + , on the PC or CMD + , on the Mac)
  2. Click Settings.
  3. Click About Chrome. You'll likely see a message that says "Updating Google Chrome" while it downloads the new update.
  4. Then, click Relaunch. Once your work is saved in Chrome, that is, as the browser will shut down.
  5. Chrome will restart, and you'll see the message "Google Chrome is up to date" with the version number "86.0.4240.198" underneath.

The update instructions are very similar for Brave, Edge and other Chromium-based browsers, although new versions may not be available for all of those yet.

Chrome will often update on its own if you simply close and the relaunch the browser. But considering the advice from Google, I say update your Chrome right now. I'm doing it the second I'm done writing this post, and I'm going to my parents' computers to do the same.