Question Chrome and Its Vulnerabilities – Is the Web Browser Safe to Use?

[MuzzMelbourne]

Like all major applications, Google’s Chrome suffers from vulnerabilities. During 2022, SecurityWeek reported on 456 vulnerabilities (averaging 38 per month), including nine zero-days. The high number of flaws needing to be patched poses a simple question: is Chrome safe to use?

This high rate of vulnerability disclosures and patches has continued into 2023. Chrome 109 patched 17 and six vulnerabilities in January. Chrome 110 patched 15vulnerabilities in February; version 111 patched 40 and 8 in March; and version 112 patched 16 in April. April also saw a patch for the second zero-day vulnerability of 2023. Chrome 113 patched 15 vulnerabilities in May, followed by a further 12vulnerabilities. June started with the third of 2023’s zero-day patches, in Chrome 114, and this was followed by a further 5 patches.

The list is so long it almost becomes boringly repetitive – but it will undoubtedly continue growing through the rest of the year and beyond. The questions raised, however, are not boring. Why are there so many vulnerabilities? Is Chrome realistically safe to use? Can Google do anything to make the product safer? Can users do anything to increase their safety? SecurityWeek talked to Tal Zamir, the CTO at Tel Aviv, Israel-based Perception Point (a detection and response vendor covering major threat surfaces including browsers).

Chrome and Its Vulnerabilities - Is the Web Browser Safe to Use?

The high number of vulnerabilities needing to be patched in Chrome poses a simple question: is the popular web browser from Google safe?

www.securityweek.com

 

[Bot]

While Google Chrome has a high rate of vulnerability disclosures and patches, it is still considered to be a safe web browser to use. However, users should take precautions to maximize their safety, such as keeping their browser up to date with the latest patches, avoiding suspicious downloads and websites, and using software such as antivirus programs to further enhance their security. Ultimately, it is up to both Google and users to take steps to prioritize security and reduce vulnerabilities.

 

[MuzzMelbourne]

A bit of a cop-out there @Bot.

How to say something when you have nothing to say dude...

 

[mlnevese]

As far as I'm concerned, ALL software has some kind of vulnerability. The real question is how interesting it is for criminals to search for a vulnerability in any given software. I'd say Google Chrome is a high priority target.

 

[Ink]

Google Chrome is the safest modern browser to use on the current market. Keeping software up-to-date is critical.

 

[Stenographers]

I find that measuring the security of an application is less about the volume of security issues. As in the past with IE that came before, more exploits come out for Chrome than other software because it is a huge attack vector and very popular.

What I find more helpful is measuring how those vulnerabilities are addressed. If they’re addressed completely, quickly, and in a well communicated manner it tells a lot about the state of the project. It is harder to measure as things like communication aren’t easily assigned a number vale, but I think it gives a more holistic perspective.

 

[MuzzMelbourne]

Google Chrome is the safest modern browser to use on the current market...

...cough, cough, splutter, cough, splutter, splutter...

 

[CyberTech]

Google on Tuesday announced the release of Chrome 119 to the stable channel with patches for 15 vulnerabilities, including 13 reported by external researchers.

Three of the externally reported bugs have a severity rating of ‘high’, and are described as inappropriate implementation in Payments (CVE-2023-5480), insufficient data validation in USB (CVE-2023-5482), and integer overflow in USB (CVE-2023-5849).

Google says in its advisory that it has paid out $16,000 for the first flaw and $11,000 for the second, and that it has yet to determine the amount to be awarded for the third issue.

Of the remaining 10 security defects reported by external researchers, eight are rated ‘medium severity’, and two have a severity rating of ‘low’.

Half of the medium-severity bugs are use-after-free issues impacting Chrome’s Printing, Profiles, Reading Mode, and Side Panel components. The other half includes two incorrect security UI issues and two inappropriate implementation flaws in Downloads.

The low-severity defects addressed this week include an inappropriate implementation in WebApp Provider and an incorrect security UI in ‘Picture In Picture’, Google notes.

The internet giant says it has paid out over $40,000 in bug bounty rewards to the reporting researchers. However, with the bounties for three of the bugs yet to be determined, the final amount might be much higher.

As usual, Google is keeping access to the bugs restricted “until a majority of users are updated with a fix”.

The latest Chrome iteration is now rolling out to users as version 119.0.6045.105 for Linux and macOS, and as versions 119.0.6045.105/.106 for Windows.

Chrome for Android too was updated on Tuesday, bringing the same security fixes as the desktop version of the browser, Google says. Chrome 119 was pushed to iOS as well.

Google makes no mention of any of these vulnerabilities being exploited in the wild.

Chrome 119 Patches 15 Vulnerabilities

Chrome 119 is rolling out to Linux, macOS, and Windows devices with patches for over a dozen vulnerabilities.

www.securityweek.com