The good news for the estimated 3.2 billion users of Google’s Chrome web browser is that, as far as we know, there are no new zero-day attacks ongoing against them. However, according to the latest confirmation from Google, a total of 32 new security vulnerabilities have been discovered that impact the Chromium-based browser. Of these, one has a critical impact status, eight are rated high and a further nine are medium.
This is one big, and very important, security update for all Chrome users across Windows, Mac, and Linux platforms. There is also an update rolling out for the Android Chrome app, but this appears not to be security-related as Google has only pointed to “stability and performance” issues in the release announcement.
What are the most important Google Chrome vulnerabilities to be disclosed?
So, what do we know about the May 24 Google Chrome update, which takes the browser to version 102.0.5005.61 for Mac and Linux users and either 102.0.5005.61 62 or 63 for Windows users. After ensuring my copy on Windows 11 was updated (details below) it is showing as version 102.0.5005.63, but your mileage could vary it seems.
Anyway, here’s what we know so far about the most important vulnerabilities that have been fixed by this security update.
- CVE-2022-1853 is a critical-rated ‘use after free’ vulnerability impacting IndexedDB, a feature that allows fast access to structured data.
- CVE-2022-1854 is a high-rated ‘use after free’ vulnerability in the ANGLE graphics engine abstraction layer.
- CVE-2022-1855 is a high-rated ‘use after free’ vulnerability in messaging.
- CVE-2022-1856 is a high-rated ‘use after free’ vulnerability in the user education function.
- CVE-2022-1857 is a high-rated vulnerability concerning insufficient policy enforcement in the file system API.
- CVE-2022-1858 is a high-rated ‘out of bounds’ vulnerability impacting DevTools.
- CVE-2022-1859 is another high-rated ‘use after free’ vulnerability, this time within the performance manager.
- CVE-2022-1860 is yet another high-rated ‘use after free’ vulnerability, this time within UI foundations.
- CVE-2022-1861 rounds up the high-rated vulnerabilities, a ‘use after free’ one impacting sharing.
The remaining vulnerabilities, not all of which have been assigned Common Vulnerabilities and Exposures (CVE) numbers, may not be as serious in terms of impact but go towards completing what is another huge security update from Google.
Why, and how, you should update now
As always, it is recommended that you force the Chrome security update as soon as you can. While it will be rolling out over the coming days and weeks, as Google always says, given the nature of the security vulnerabilities that are covered, it’s a good idea not to wait. Simply by heading for the Help|About option in your Google Chrome menu is all it takes to get the process going. This forces Chrome to check for, and download, any updates. What is vital, though, is that you restart the browser to ensure the update has been implemented and is protecting you from potential harm.