If you recently updated Google Chrome to version 104, you might be surprised to learn there’s already another update available for your browser. After all, the last update patched 27 security vulnerabilities: What’s left to update? Apparently, quite a bit, including a new security flaw that hackers already know how to exploit.
Google announced the update in a Chrome Releases blog post Tuesday, Aug. 16. This new Chrome version is 104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows, and is now available on all platforms.
The patch includes fixes for 11 security vulnerabilities, of which one is labeled critical, six are labeled high-severity, and three are labeled medium-severity. However, the real story concerns one of the high-severity vulnerabilities, identified as CVE-2022-2856: Google confirmed an exploit for this flaw exists in the wild, making it a zero-day vulnerability.
Zero-days are dangerous. While most security vulnerabilities are never exploited before a patch is available, some are. When someone is successful at not only discovering a flaw in software, but figuring out how to use it against others, that vulnerability becomes a zero-day—CVE-2022-2856 is one such vulnerability.
The flaw stems from an “insufficient validation of untrusted input in Intents.” According to Bleeping Computer, this type of flaw can lead to issues such as “buffer overflow, directory traversal, SQL injection, cross-site scripting, null byte injection, and more.” It’s a long list of consequences that could compromise your system, and since there’s an exploit for it in the wild, updating Chrome should be a priority.
However, it isn’t only this zero-day that should convince you to update: The other 10 issues are still important to patch, since their identities are now known. Hackers could still find ways to exploit these vulnerabilities, so it’s important to update to protect yourself across the board.
You can view all 11 vulnerabilities this update patches below, including who discovered the vulnerabilities and the reward they earned for it:
[$NA][1349322] Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02
[$7000][1337538] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
[$7000][1345042] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
[$5000][1338135] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
[$5000][1341918] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
[$NA][1350097] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
[$NA][1345630] High CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19
[$3000][1338412] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
[$2000][1345193] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
[$TBD][1346236] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21
[1353442] Various fixes from internal audits, fuzzing and other initiatives
How to update Google Chrome
Whether you’re on Mac, Windows, or Linux, you can quickly update Chrome to patch not only this zero-day vulnerability, but the other 10 flaws, as well. Click the three dots in the top-right corner of your browser window, then go to Help > About Google Chrome. Allow Chrome to look for a new update. If one is available, you’ll be able to click “Relaunch” to install it.
If you have automatic updates enabled, you can simply wait for Chrome to install the update on its own. However, that could take a matter of weeks—the fastest way to secure your browser is to update Chrome yourself.