Google last week issued an update to its Chrome web browser that includes a fix for a critical security flaw. But because it doesn't want evil hackers exploiting the vulnerability, the browser maker didn't give many details other than that the flaw involves "use after free in speech recognizer."
Thanks to Sophos security researcher Paul Ducklin, we have a somewhat better idea about the fix inside Chrome version 81.0.4044.113 for Windows, Mac and Linux users -- and why and how you should check to make sure you have the update.
- The best antivirus options right now
- Pixel Buds 3 leak reveals Google’s AirPods 3 killers
- Plus: iPhones being hacked by rogue emails: What to do
According to Ducklin's post on NakedSecurity, the Sophos consumer blog, the bug in Chrome could probably let attackers sidestep "any of the browser's usual security checks or 'are you sure' dialogs."
Like many use-after-free bugs, this one might "allow an attacker to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside," Ducklin said.
A "use after free" bug is when an application continues to use blocks of running memory, or RAM, even after it has "freed" those blocks for any other app to use. Malicious applications can exploit this mistake by seizing those freed memory blocks and tricking the application into doing things it's not supposed to.
Because Google has deemed this bug "critical," it's likely that the flaw permits remote code execution, Ducklin said, meaning a bad actor can "run code on your computer remotely, without warning, even if they’re on the other side of the world."
Google says Chrome version 81.0.4044.113, “will roll out over the coming days/weeks," and the browser will update itself automatically for many desktop users. But Ducklin recommends updating it manually just in case.
Scary Chrome bug: What you can do
Locate your About Google Chrome menu option from your device's toolbar. It's usually in the upper right, representing by three stacked dots. If there's an update waiting for you, those three dots will be colored.
Green means an update to Chrome was released less than 2 days ago, while orange means an update was released about 4 days ago and red means an update was released at least a week ago.
If the three dots are any color other than gray, then click on the icon, scroll down to Help, then scroll down to About Google Chrome in the fly-out window.
When you launch the About Google Chrome page, Chrome will automatically begin checking for updates and also shows you which version of the browser you're currently running.
You'll want to have Chrome version 81.0.4044.113 or later. If you're not, the About Chrome page should prompt you to update. You will likely need to relaunch your browser to carry out the patch.
While you're there, consider turning activating automatic updates for your device. This way when Google releases future patches, you won't need to run updates through this manual method.