May 26 Update below. This post was originally published on May 25
Many people equate the regular discovery, and patching, of product vulnerabilities with being a sign of bad security; I am not one of them. I have always said that I’d much rather these security flaws are picked up, be that by in-house teams, bug bounty platforms or independent researchers, than go undiscovered. Vendors that patch regularly and transparently are demonstrating a strong security posture, not a weak one. Sure, in an ideal world software would be free of any bugs and hackers would not be able to find creative ways to exploit code. This is not, in case you missed it, an ideal world. In that regard, Google does a good job from a security perspective and the latest Chrome version 102 update is a great example of this in action.
However, newly published research from Which? in the U.K. claims that in another area of web browser security, phishing protection, Google has much less to be proud of.
Which? report claims Google Chrome lagging when it comes to browser phishing protection
Google Chrome is by far the world’s most popular web browser, whatever metric you use in reaching that conclusion. With more than 3 billion users and a 65% desktop market share (Safari is in second place with just 9%) Chrome is the undisputed browser champion. But the Which? report appears to claim that it has been well and truly knocked out for the count by Apple Safari, Microsoft Edge, Mozilla Firefox and Opera when it comes one security metric: detecting and blocking phishing sites. A claim that it must be said, Google itself disputes.
The report was based on testing of the most popular web browsers by attempting to visit a total of “800 newly-discovered sites very shortly after they are first discovered,” according to Michael Passingham, a senior researcher at Which? This appears to be in order to test how well the browsers could cope with the latest phishing threats from sites that had yet to appear in databases of such things.
The results varied depending on the platform, so the results were split into Windows and Mac categories: Google Chrome p[laced last in each. The percentages are shown below, representing the proportion of those phishing sites that the browsers prevented the user from opening.
- 85% Mozilla Firefox
- 82% Microsoft Edge
- 56% Opera
- 28% Google Chrome
- 78% Mozilla Firefox
- 77% Apple Safari
- 56% Opera
- 25% Google Chrome
What Google says about the Which? phishing test results
I reached out to Google which supplied me with the following statement:
“This study’s methodology and findings demand scrutiny. For more than 10 years, Google has helped set the anti-phishing standard — and freely provided the underlying technology — for other browsers. Google and Mozilla often partner to improve the security of the web, and Firefox relies primarily on Google’s Safe Browsing API to block phishing – but the researchers indicated that Firefox provided significantly more phishing protection than Chrome. It’s highly unlikely that browsers using the same technology for phishing detection would differ meaningfully in the level of protection they offer, so we remain sceptical of this report’s findings.”
What does a phishing awareness expert say?
“Depending on the methodology and techniques used, the results of how browsers detect and block phishing attacks can vary,” Javvad Malik, lead security awareness advocate at anti-phishing specialists KnowBe4, said. “However, it’s worth bearing in mind that like many threats, phishing cannot be prevented with just one control, and perhaps due to the nature of phishing attacks, technology alone will never be fully effective. Therefore, it’s vitally important to provide users with timely and relevant security awareness and training so that they can be better placed to identify phishing attacks and report them to their security teams.”
Google Chrome 102 update fixes 32 new security vulnerabilities
The good news for the estimated 3.2 billion users of Google’s Chrome web browser is that, as far as we know, there are no new zero-day attacks ongoing against them. However, according to the latest confirmation from Google, a total of 32 new security vulnerabilities have been discovered that impact the Chromium-based browser. Of these, one has a critical impact status, eight are rated high and a further nine are medium.
This is one big, and very important, security update for all Chrome users across Windows, Mac, and Linux platforms. There is also an update rolling out for the Android Chrome app, but this appears not to be security-related as Google has only pointed to “stability and performance” issues in the release announcement.
What are the most important Google Chrome vulnerabilities to be disclosed?
So, what do we know about the May 24 Google Chrome update, which takes the browser to version 102.0.5005.61 for Mac and Linux users and either 102.0.5005.61 62 or 63 for Windows users. After ensuring my copy on Windows 11 was updated (details below) it is showing as version 102.0.5005.63, but your mileage could vary it seems.
Ok, so are those details of the most important vulnerabilities that have been fixed by this security update.
- CVE-2022-1853 is a critical-rated ‘use after free’ vulnerability impacting IndexedDB, a feature that allows fast access to structured data.
- CVE-2022-1854 is a high-rated ‘use after free’ vulnerability in the ANGLE graphics engine abstraction layer.
- CVE-2022-1855 is a high-rated ‘use after free’ vulnerability in messaging.
- CVE-2022-1856 is a high-rated ‘use after free’ vulnerability in the user education function.
- CVE-2022-1857 is a high-rated vulnerability concerning insufficient policy enforcement in the file system API.
- CVE-2022-1858 is a high-rated ‘out of bounds’ vulnerability impacting DevTools.
- CVE-2022-1859 is another high-rated ‘use after free’ vulnerability, this time within the performance manager.
- CVE-2022-1860 is yet another high-rated ‘use after free’ vulnerability, this time within UI foundations.
- CVE-2022-1861 rounds up the high-rated vulnerabilities, a ‘use after free’ one impacting sharing.
The remaining vulnerabilities, not all of which have been assigned Common Vulnerabilities and Exposures (CVE) numbers, may not be as serious in terms of impact but go towards completing what is another huge security update from Google.
Why, and how, you should update now
As always, it is recommended that you force the Chrome security update as soon as you can. While it will be rolling out over the coming days and weeks, as Google always says, given the nature of the security vulnerabilities that are covered, it’s a good idea not to wait. Simply by heading for the Help|About option in your Google Chrome menu is all it takes to get the process going. This forces Chrome to check for, and download, any updates. What is vital, though, is that you restart the browser to ensure the update has been implemented and is protecting you from potential harm.