April 29 Update below. This post was originally published on April 27
It’s been a breathtakingly busy few weeks in the world of Google Chrome security and the pace doesn’t appear to be slowing down. Hot on the heels of two emergency fixes for in-the-wild exploits, and confirmation of a record number of Chromium zero-days across 2021, comes another truly massive security update for billions of Chrome users. How massive would that be? Well, newly confirmed stable channel update for desktop which takes Google Chrome to version 101.0.4951.41 for Windows, Mac and Linux users fixes no less than 30 security vulnerabilities.
Thankfully, for now at least, none of these are zero-days where attackers are known to already be exploiting the vulnerabilities. However, that doesn’t mean that user complacency should be the order of the day. As always, I recommend you kick-start the Chrome 101 security update as soon as possible rather than wait for it to be rolled out to you in the coming days and weeks. And, importantly, ensure that it is properly activated whether you update now or choose to wait.
Update April 29: Because Chrome isn’t the only web browser client to employ the Chromium engine under the hood, as it were, users of those browsers should also be on the look out for security updates. I can confirm that at the time of writing my copies of both Brave and Microsoft Edge have now been updated to include the latest Chromium 101.0.4951.41 version as you can see from the screenshots below. It’s just as important that you make sure that these browsers have updated to apply the necessary security patches and that means restarting them as you would with Google Chrome itself.
As far as Brave users are concerned, you need to head for the three stripe ‘burger’ menu and select the ‘About Brave’ option. Again, this will then force the browser into immediately checking if an update is available and downloading it if that is, indeed, the case. At the risk of sounding like a broken record, don’t forget to restart the browser to ensure the patch has been applied and is protecting you.
If you see this, you are up to date and protected in Brave
To check the version number and kickstart the update process for Microsoft Edge, head to the ‘three dot’ menu at the top right of the screen. From here, select ‘Help and feedback|About Microsoft Edge’. This will immediately check if an update is available and start downloading if that is the case. You will then be prompted to restart the browser so make sure you have closed all open tabs and saved any information you require.
Make sure Microsoft Edge is up to date with security patches
Unfortunately, neither Opera nor Vivaldi had been updated at the time of writing, so please keep checking on these if you use them. For Opera you need to head top left and the Opera icon. The menu option you want is Help|About Opera, unsurprisingly enough. Vivaldi users can select Help|Check for Updates from the ‘V’ logo menu.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a confirmation of the importance of these security updates in an April 28 posting. CISA says that it “encourages users and administrators to review the Chrome release notes and apply the necessary patches” as an attacker could otherwise exploit the vulnerabilities to take control of an affected system.
Of the 30 vulnerabilities, seven are rated high risk while 14 get a medium Common Vulnerabilities and Exposures (CVE) rating. In all, more than $80,000 has been confirmed by way of Google bounty payments to the researchers who found these security problems.
While all the technical detail of the vulnerabilities being patched has yet to be released, we do know that they include the following 25 specific ones, the remaining five coming under the ‘various fixes from internal audits, fuzzing and other initiatives’ umbrella.
Head for the Help|About option in your Google Chrome menu, and if the update is available, it will automatically start downloading.
Restart your browser to activate the update
Remember to restart your browser after the update has been installed, or it will not activate, and you will still be vulnerable to attack. This last point is the same if you get the automatic update without kick-starting the process – it will not activate until your browser is restarted. Given the number of people who keep a browser with a gazillion tabs open running all the time, I cannot emphasize the importance of this enough.
If you are showing version 101.0.4951.41 then you are up to date and protected