Serious Discussion Google Chrome Stable Channel Updates

[amirr]

"v94 has a controversial feature that allows website to detect if your browser is sitting there idle.
Here is how to turn it off:
Go to: chrome://settings/content/idleDetection
or
Chrome Settings > Privacy and Security > Site Settings > Permissions > Additional Permissions > Your device use
enable: Don’t allow sites to know when you’re actively using your device"
tweakhound.com/2021/09/22/wednesday-news-16/

 

[Gandalf_The_Grey]

Emergency Google Chrome update fixes zero-day exploited in the wild

Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild.

"Google is aware that an exploit for CVE-2021-37973 exists in the wild," the browser vendor revealed in today's security advisory.

This Chrome update has started rolling out worldwide to the Stable desktop channel and will be available to all users over the following days and weeks.

The update was available immediately when BleepingComputer manually checked for new updates from Chrome menu > Help > About Google Chrome.

The web browser will also check for new updates and automatically update itself after the next launch.

With this bug, Google has patched 11 zero-day vulnerabilities in the Chrome web browser since the start of 2021.

The other Chrome zero-day bugs Google fixed this year are:

• CVE-2021-21148 - February 4th, 2021
• CVE-2021-21166 - March 2nd, 2021
• CVE-2021-21193 - March 12th, 2021
• CVE-2021-21220 - April 13th, 2021
• CVE-2021-21224 - April 20th, 2021
• CVE-2021-30551 - June 9th, 2021
• CVE-2021-30554 - June 17th, 2021
• CVE-2021-30563 - July 15th, 2021
• CVE-2021-30632 and CVE-2021-30633 - September 13th

Because these security bugs are all known to have been abused by threat actors in the wild, installing all Google Chrome updates is strongly recommended as soon as they are available.

Emergency Google Chrome update fixes zero-day exploited in the wild

Google has released Chrome 94.0.4606.61 for Windows, Mac, and Linux, an emergency update addressing a high-severity zero-day vulnerability exploited in the wild.

www.bleepingcomputer.com

 

[plat]

Excerpt:

Google has released Chrome 94.0.4606.71 for Windows, Mac, and Linux, to fix two zero-day vulnerabilities that have been exploited by attackers.

"Google is aware the exploits for CVE-2021-37975 and CVE-2021-37976 exist in the wild," Google disclosed in the list of security fixes fixed in today's Google Chrome release.

Google has started rolling out Chrome 94.0.4606.71 to users worldwide in the Stable Desktop channel and should be available to all users within the coming days.

To install the update immediately, Google Chrome users can go to Chrome menu > Help > About Google Chrome, and the browser will begin performing the update.

Google pushes emergency Chrome update to fix two zero-days

Google has released Chrome 94.0.4606.71 for Windows, Mac, and Linux, to fix two zero-day vulnerabilities that have been exploited by attackers.

www.bleepingcomputer.com

 

[Gandalf_The_Grey]

Google Chrome 94.0.4606.81 Stable Channel Update for Desktop

The Stable channel has been updated to 94.0.4606.81 for Windows, Mac and Linux which will roll out over the coming days/weeks. Extended stable channel has also been updated to 94.0.4606.81 for Windows and Mac which will roll out over the coming days/weeks

A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 4 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$10000][1252878] High CVE-2021-37977 : Use after free in Garbage Collection. Reported by Anonymous on 2021-09-24

[$7500][1236318] High CVE-2021-37978 : Heap buffer overflow in Blink. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-04

[$7500][1247260] High CVE-2021-37979 : Heap buffer overflow in WebRTC. Reported by Marcin Towalski of Cisco Talos on 2021-09-07

[$3000][1254631] High CVE-2021-37980 : Inappropriate implementation in Sandbox. Reported by Yonghwi Jin (@jinmo123) on 2021-09-30

Stable Channel Update for Desktop

The Stable channel has been updated to 94.0.4606.81 for Windows, Mac and Linux which will roll out over the coming days/weeks. Extended stab...

chromereleases.googleblog.com

 

[Gandalf_The_Grey]

Google Chrome 95.0.4638.54 Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 95 to the stable channel for Windows, Mac and Linux. This will roll out over the coming days/weeks.

Chrome 95.0.4638.54 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 95.

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 19 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$20000][1246631] High CVE-2021-37981 : Heap buffer overflow in Skia. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-09-04
[$10000][1248661] High CVE-2021-37982 : Use after free in Incognito. Reported by Weipeng Jiang (@Krace) from Codesafe Team of Legendsec at Qi'anxin Group on 2021-09-11
[$10000][1249810] High CVE-2021-37983 : Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-09-15
[$7500][1253399] High CVE-2021-37984 : Heap buffer overflow in PDFium. Reported by Antti Levomäki, Joonas Pihlaja and Christian Jalio from Forcepoint on 2021-09-27
[$5000][1241860] High CVE-2021-37985 : Use after free in V8. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-08-20
[$6000][1242404] Medium CVE-2021-37986 : Heap buffer overflow in Settings. Reported by raven (@raid_akame) on 2021-08-23
[$5000][1206928] Medium CVE-2021-37987 : Use after free in Network APIs. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-05-08
[$5000][1228248] Medium CVE-2021-37988 : Use after free in Profiles. Reported by raven (@raid_akame) on 2021-07-12
[$2000][1233067] Medium CVE-2021-37989 : Inappropriate implementation in Blink. Reported by Matt Dyas, Ankur Sundara on 2021-07-26
[$N/A][1247395] Medium CVE-2021-37990 : Inappropriate implementation in WebView. Reported by Kareem Selim of CyShield on 2021-09-07
[$TBD][1250660] Medium CVE-2021-37991 : Race in V8. Reported by Samuel Groß of Google Project Zero on 2021-09-17
[$TBD][1253746] Medium CVE-2021-37992 : Out of bounds read in WebAudio. Reported by sunburst@Ant Security Light-Year Lab on 2021-09-28
[$TBD][1255332] Medium CVE-2021-37993 : Use after free in PDF Accessibility. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-02
[$TBD][1243020] Medium CVE-2021-37996 : Insufficient validation of untrusted input in Downloads. Reported by Anonymous on 2021-08-24
[$3000][1100761] Low CVE-2021-37994 : Inappropriate implementation in iFrame Sandbox. Reported by David Erceg on 2020-06-30
[$1000][1242315] Low CVE-2021-37995 : Inappropriate implementation in WebApp Installer. Reported by Terence Eden on 2021-08-23
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 95 to the stable channel for Windows, Mac and Linux . This will roll out o...

chromereleases.googleblog.com

Google Chrome 94.0.4606.101 Extended Stable Channel Update for Desktop

The Extended Stable channel has been updated to 94.0.4606.101 for Windows and Mac which will roll out over the coming days/weeks.

A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.

Extended Stable Channel Update for Desktop

The Extended Stable channel has been updated to 94.0.4606.101 for Windows and Mac which will roll out over the coming days/weeks. A full lis...

chromereleases.googleblog.com

 

[amirr]

 

[Gandalf_The_Grey]

Google Chrome 95.0.4638.69 Stable Channel Update for Desktop

The Stable channel has been updated to 95.0.4638.69 for Windows, Mac and Linux which will roll out over the coming days/weeks.

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 8 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$10000][1259864] High CVE-2021-37997 : Use after free in Sign-In. Reported by Wei Yuan of MoyunSec VLab on 2021-10-14

[$7500][1259587] High CVE-2021-37998 : Use after free in Garbage Collection. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-10-13

[$1000][1251541] High CVE-2021-37999 : Insufficient data validation in New Tab Page. Reported by Ashish Arun Dhone on 2021-09-21

[$N/A][1249962] High CVE-2021-38000 : Insufficient validation of untrusted input in Intents. Reported by Clement Lecigne, Neel Mehta, and Maddie Stone of Google Threat Analysis Group on 2021-09-15

[$N/A][1260577] High CVE-2021-38001 : Type Confusion in V8. Reported by Kunlun Lab via Tianfu Cup on 2021-10-16

[$N/A][1260940] High CVE-2021-38002 : Use after free in Web Transport. Reported by @__R0ng of 360 Alpha Lab, 漏洞研究院青训队 via Tianfu Cup on 2021-10-16

[$TBD][1263462] High CVE-2021-38003 : Inappropriate implementation in V8. Reported by Clément Lecigne from Google TAG and Samuel Groß from Google Project Zero on 2021-10-26

Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild.

Stable Channel Update for Desktop

The Stable channel has been updated to 95.0.4638.69 for Windows, Mac and Linux which will roll out over the coming days/weeks. A full list o...

chromereleases.googleblog.com

 

[Gandalf_The_Grey]

Google Chrome 96.0.4664.45 Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 96 to the stable channel for Windows, Mac and Linux. Chrome 96 is also promoted to our new extended stable channel for Windows and Mac. This will roll out over the coming days/weeks.

Chrome 96.0.4664.45 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 96.

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 96 to the stable channel for Windows, Mac and Linux. Chrome 96 is also prom...

chromereleases.googleblog.com

 

[silversurfer]

Google released Chrome 96 for all supported desktop operating systems and Android this week; the new version is 96.0.4664.45. No mentioning of security updates in the release.

The official blog post on the Chrome Releases blog offers virtually no information on the release. It lists the version number and that the extended stable of Chrome has been promoted to Chrome 96 as well. Google switched to a 4-week release cycle for Chrome recently and created the extended channel to increase the release period to every other release (8-weeks).

A Chrome 96 beta post on the Chromium blog reveals information on what is new in the new version. Here is a list of important changes:

• HTTPS is used to connect to websites if an HTTPS record is available from the domain name service (DNS).
• Web applications may register as URL protocol handlers, e.g. to launch twitter links using the Twitter PWA, or FTP links using a web FTP application.
• New Origin trial: Conditional focus
  • Applications that capture other windows or tabs currently have no way to control whether the calling item or the captured item gets focus. (Think of a presentation feature in a video conference app.) Chrome 96 makes this possible with a subclass of MediaStreamTrack called FocusableMediaStreamTrack, which supports a new focus() method.
• New Origin trial: Priority Hints
  • Priority Hints introduces a developer-set "importance" attribute to influence the computed priority of a resource. Supported importance values are "auto", "low", and "high". Priority Hints indicate a resource's relative importance to the browser, allowing more control over the order resources are loaded.
• Back forward cache on desktop for faster navigations to "previously-visited pages after cross-site navigations".
• New credentialless policy for Cross-Origin-Embedder-Policy.
  • Cross-Origin-Embedder-Policy has a new credentialless option that causes cross-origin no-cors requests to omit credentials (cookies, client certificates, etc.). Similarly to COEP:require-corp, it can enable cross-origin isolation.
• Unique IDs for desktop PWAs.
  • The appmanifest spec doesn’t explicitly define what uniquely identifies a PWA. Currently, on the desktop versions of Chromium-based browsers and Firefox on Android, PWAs are uniquely identified by app's start_url and Android Chromium-based browsers use manifest_url instead. This is confusing to developers. Also it made developers unable to change their start_url and manifest_url.Having a stable id allows apps to update other metadata like start_url and manifest_url, and have a consistent way to reference apps across browser platforms, PWA stores and other external entities.This feature tracks the launch process for implementation on the desktop side, as the Android implementation will be done with a different timeline. They will both follow the same specification.
• Enhanced content security policy to improve interoperability with WebAssembly.
• Deprecated: The PaymentRequest API has deprecated the basic card payment method. Will be removed in Chrome 100.

Google Chrome 96 is out: here is what is new - gHacks Tech News

Google released Chrome 96 for all supported desktop operating systems and Android this week; the new version is 96.0.4664.45. No mentioning of security updates in the release.

www.ghacks.net

 

[Gandalf_The_Grey]

Google Chrome 96.0.4664.45 Stable Channel Update for Desktop

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 96 to the stable channel for Windows, Mac and Linux. Chrome 96 is also prom...

chromereleases.googleblog.com

More info published on the blog:

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 25 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$7500][1254189] High CVE-2021-38007: Type Confusion in V8. Reported by Polaris Feng and SGFvamll at Singular Security Lab on 2021-09-29

[$7500][1263620] High CVE-2021-38008: Use after free in media. Reported by Marcin Towalski of Cisco Talos on 2021-10-26

[$2000][1260649] High CVE-2021-38009: Inappropriate implementation in cache. Reported by Luan Herrera (@lbherrera_) on 2021-10-16

[$TBD][1240593] High CVE-2021-38006: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-08-17

[$TBD][1241091] High CVE-2021-38005: Use after free in loader. Reported by Sergei Glazunov of Google Project Zero on 2021-08-18

[$TBD][1264477] High CVE-2021-38010: Inappropriate implementation in service workers. Reported by Sergei Glazunov of Google Project Zero on 2021-10-28

[$TBD][1268274] High CVE-2021-38011: Use after free in storage foundation. Reported by Sergei Glazunov of Google Project Zero on 2021-11-09

[$15000][1262791] Medium CVE-2021-38012: Type Confusion in V8. Reported by Yonghwi Jin (@jinmo123) on 2021-10-24

[$10000][1242392] Medium CVE-2021-38013: Heap buffer overflow in fingerprint recognition. Reported by raven (@raid_akame) on 2021-08-23

[$5000][1248567] Medium CVE-2021-38014: Out of bounds write in Swiftshader. Reported by Atte Kettunen of OUSPG on 2021-09-10

[$3000][957553] Medium CVE-2021-38015: Inappropriate implementation in input. Reported by David Erceg on 2019-04-29

[$3000][1244289] Medium CVE-2021-38016: Insufficient policy enforcement in background fetch. Reported by Maurice Dauer on 2021-08-28

[$2500][1256822] Medium CVE-2021-38017: Insufficient policy enforcement in iframe sandbox. Reported by NDevTK on 2021-10-05

[$2000][1197889] Medium CVE-2021-38018: Inappropriate implementation in navigation. Reported by Alesandro Ortiz on 2021-04-11

[$1000][1251179] Medium CVE-2021-38019: Insufficient policy enforcement in CORS. Reported by Maurice Dauer on 2021-09-20

[$1000][1259694] Medium CVE-2021-38020: Insufficient policy enforcement in contacts picker. Reported by Luan Herrera (@lbherrera_) on 2021-10-13

[$500][1233375] Medium CVE-2021-38021: Inappropriate implementation in referrer. Reported by Prakash (@1lastBr3ath) and Jun Kokatsu on 2021-07-27

[$TBD][1248862] Low CVE-2021-38022: Inappropriate implementation in WebAuthentication. Reported by Michal Kepkowski on 2021-09-13

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 96 to the stable channel for Windows, Mac and Linux. Chrome 96 is also prom...

chromereleases.googleblog.com

 

[silversurfer]

Chrome 96 also features a "back-forward cache" so that you can instantly navigate to your previously visited pages. This is intended to enhance your browsing workflow. Google is also splitting the reporting cache into distinct per-document and network caches. It also features some changes to enhance the privacy in these reporting logs, you can read more about the implementation here.

Chrome 96 is rolling out with faster page navigation cache and PNG metadata in Clipboard

Chrome 96 is rolling out today with some performance improvements in page navigation and retention of PNG metadata in clipboard. It also faces some pushback from the Safari WebKit team.

www.neowin.net

 

[Gandalf_The_Grey]

Google Chrome 96 breaks Twitter, Discord, video rendering and more

Google Chrome 96 was released yesterday, and users are reporting problems with Twitter, Discord, and Instagram caused by the new version.

After upgrading to Chrome 96, users report errors in their Twitter notifications, with the website warning that "Something went wrong. Try reloading,".
Other Twitter users are reporting GIFs turning black, images not displayed, or videos unable to play. In their place, Twitter shows the same error message reading, "Something went wrong."
Other users have reported that Discord features are also partially broken, with the web app feeling slower and the loading icon not appearing correctly.

Google is aware of the issues
The issues have been reported to Google in a Chromium bug post where Google employees have started to investigate the problems.

"We're continuing to see user reports about this behavior, including reports from our social team," notes Google product manager Craig Tumblison.

"One user has shared that disabling the "chrome://flags/#cross-origin-embedder-policy-credentialless" flag resolves the behavior. Another report shares a specific error message: "The connection was rejected at https://cards-frame.twitter.com". Test team, would you be able to try enabling that flag to see if the behavior appears?"

The 'chrome://flags/#cross-origin-embedder-policy-credentialles' flag is related to a new Cross-Origin-Embedder-Policy feature released with Chrome 96.

Google states that you can fix these bugs in some cases by setting the "chrome://flags/#cross-origin-embedder-policy-credentialless" to disabled.

If you are affected by these issues, you can copy and paste the above chrome:// address into the Google Chrome address bar and press enter. When the experimental flag appears, please set it to Disabled and relaunch the browser when prompted.

If this policy is related to the issues seen on Twitter, Discord, and Instagram, Google will likely push out a configuration change to disable the feature until they resolve the conflicts.

Google Chrome 96 breaks Twitter, Discord, video rendering and more

Google Chrome 96 was released yesterday, and users are reporting problems with Twitter, Discord, and Instagram caused by the new version.

www.bleepingcomputer.com

 

[CyberTech]

laughs in other browsers

 

[Gandalf_The_Grey]

Google Chrome 96.0.4664.93 Stable Channel Update for Desktop

The Stable channel has been updated to 96.0.4664.93 for Windows, Mac and Linux which will roll out over the coming days/weeks. Extended stable channel has also been updated to 96.0.4664.93 for Windows and Mac which will roll out over the coming days/weeks

A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues

Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 20 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$15000][1267661] High CVE-2021-4052: Use after free in web apps. Reported by Wei Yuan of MoyunSec VLab on 2021-11-07

[$10000][1267791] High CVE-2021-4053: Use after free in UI. Reported by Rox on 2021-11-08

[$5000][1239760] High CVE-2021-4054: Incorrect security UI in autofill. Reported by Alesandro Ortiz on 2021-08-13

[$1000][1266510] High CVE-2021-4055: Heap buffer overflow in extensions. Reported by Chen Rong on 2021-11-03

[$TBD][1260939] High CVE-2021-4056: Type Confusion in loader. Reported by @__R0ng of 360 Alpha Lab on 2021-10-18

[$TBD][1262183] High CVE-2021-4057: Use after free in file API. Reported by Sergei Glazunov of Google Project Zero on 2021-10-21

[$TBD][1267496] High CVE-2021-4058: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-06

[$TBD][1270990] High CVE-2021-4059: Insufficient data validation in loader. Reported by Luan Herrera (@lbherrera_) on 2021-11-17

[$TBD][1271456] High CVE-2021-4061: Type Confusion in V8. Reported by Paolo Severini on 2021-11-18

[$TBD][1272403] High CVE-2021-4062: Heap buffer overflow in BFCache. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-22

[$TBD][1273176] High CVE-2021-4063: Use after free in developer tools. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-11-23

[$TBD][1273197] High CVE-2021-4064: Use after free in screen capture. Reported by @ginggilBesel on 2021-11-23

[$TBD][1273674] High CVE-2021-4065: Use after free in autofill. Reported by 5n1p3r0010 on 2021-11-25

[$TBD][1274499] High CVE-2021-4066: Integer underflow in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2021-11-29

[$TBD][1274641] High CVE-2021-4067: Use after free in window manager. Reported by @ginggilBesel on 2021-11-29

[$500][1265197] Low CVE-2021-4068: Insufficient validation of untrusted input in new tab page. Reported by NDevTK on 2021-10-31

Stable Channel Update for Desktop

The Stable channel has been updated to 96.0.4664.93 for Windows, Mac and Linux which will roll out over the coming days/weeks. Extended stab...

chromereleases.googleblog.com

 

[silversurfer]

A security update for Google Chrome 96 is out - gHacks Tech News

Google released an update for Google Chrome 96, the company's web browser, today for all supported desktop operating systems and for the company's Android platform.

www.ghacks.net

 

[plat]

Google pushes emergency Chrome update to fix zero-day used in attacks

Google has released Chrome 96.0.4664.110 for Windows, Mac, and Linux, to address a high-severity zero-day vulnerability exploited in the wild.

www.bleepingcomputer.com

Excerpt:

Google has released Chrome 96.0.4664.110 for Windows, Mac, and Linux, to address a high-severity zero-day vulnerability exploited in the wild.

"Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild," the browser vendor said in today's security advisory.

Although the company says this update may take some time to reach all users, the update has already begun rolling out Chrome 96.0.4664.110 worldwide in the Stable Desktop channel.

The update was available immediately when BleepingComputer checked for new updates from Chrome menu > Help > About Google Chrome. The browser will also auto-check for recent updates and update itself automatically after the next launch.

 

[Gandalf_The_Grey]

Google pushes emergency Chrome update to fix zero-day used in attacks

Google has released Chrome 96.0.4664.110 for Windows, Mac, and Linux, to address a high-severity zero-day vulnerability exploited in the wild.

www.bleepingcomputer.com

Excerpt:

Google has released Chrome 96.0.4664.110 for Windows, Mac, and Linux, to address a high-severity zero-day vulnerability exploited in the wild.

"Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild," the browser vendor said in today's security advisory.

Although the company says this update may take some time to reach all users, the update has already begun rolling out Chrome 96.0.4664.110 worldwide in the Stable Desktop channel.

The update was available immediately when BleepingComputer checked for new updates from Chrome menu > Help > About Google Chrome. The browser will also auto-check for recent updates and update itself automatically after the next launch.

Here are the official release notes:
Google Chrome 96.0.4664.110 Stable Channel Update for Desktop

The Stable channel has been updated to 96.0.4664.110 for Windows, Mac and Linux which will roll out over the coming days/weeks. Extended stable channel has also been updated to 96.0.4664.110 for Windows and Mac which will roll out over the coming days/weeks

Security Fixes and Rewards

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.

This update includes 5 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$NA][1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26

[$5000][1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16

[$5000][1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19

[$TBD][1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair on 2021-10-21

[$TBD][1278387] High CVE-2021-4102: Use after free in V8. Reported by Anonymous on 2021-12-09

Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild.

Stable Channel Update for Desktop

The Stable channel has been updated to 96.0.4664.110 for Windows, Mac and Linux which will roll out over the coming days/weeks. Extended sta...

chromereleases.googleblog.com

 

[Gandalf_The_Grey]

Google Chrome 97.0.4692.71 Stable Channel Update for Desktop:

The Chrome team is delighted to announce the promotion of Chrome 97 to the stable channel for Windows, Mac and Linux.This will roll out over the coming days/weeks.

Chrome 97.0.4692.71 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 97.

This update includes 37 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.

[$TBD][1275020] Critical CVE-2022-0096: Use after free in Storage. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-11-30

[$10000][1117173] High CVE-2022-0097: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-08-17

[$10000][1273609] High CVE-2022-0098: Use after free in Screen Capture. Reported by @ginggilBesel on 2021-11-24

[$5000][1245629] High CVE-2022-0099: Use after free in Sign-in. Reported by Rox on 2021-09-01

[$TBD][1238209] High CVE-2022-0100: Heap buffer overflow in Media streams API. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-08-10

[$TBD][1249426] High CVE-2022-0101: Heap buffer overflow in Bookmarks. Reported by raven (@raid_akame) on 2021-09-14

[$TBD][1260129] High CVE-2022-0102: Type Confusion in V8 . Reported by Brendon Tiszka on 2021-10-14

[$TBD][1272266] High CVE-2022-0103: Use after free in SwiftShader. Reported by Abraruddin Khan and Omair on 2021-11-21

[$TBD][1273661] High CVE-2022-0104: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-25

[$TBD][1274376] High CVE-2022-0105: Use after free in PDF. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28

[$TBD][1278960] High CVE-2022-0106: Use after free in Autofill. Reported by Khalil Zhani on 2021-12-10

[$10000][1248438] Medium CVE-2022-0107: Use after free in File Manager API. Reported by raven (@raid_akame) on 2021-09-10

[$5000][1248444] Medium CVE-2022-0108: Inappropriate implementation in Navigation. Reported by Luan Herrera (@lbherrera_) on 2021-09-10

[$4000][1261689] Medium CVE-2022-0109: Inappropriate implementation in Autofill. Reported by Young Min Kim (@ylemkimon), CompSec Lab at Seoul National University on 2021-10-20

[$3000][1237310] Medium CVE-2022-0110: Incorrect security UI in Autofill. Reported by Alesandro Ortiz on 2021-08-06

[$3000][1241188] Medium CVE-2022-0111: Inappropriate implementation in Navigation. Reported by garygreen on 2021-08-18

[$3000][1255713] Medium CVE-2022-0112: Incorrect security UI in Browser UI. Reported by Thomas Orlita on 2021-10-04

[$1000][1039885] Medium CVE-2022-0113: Inappropriate implementation in Blink. Reported by Luan Herrera (@lbherrera_) on 2020-01-07

[$TBD][1267627] Medium CVE-2022-0114: Out of bounds memory access in Web Serial. Reported by Looben Yang on 2021-11-06

[$NA][1268903] Medium CVE-2022-0115: Uninitialized Use in File API. Reported by Mark Brand of Google Project Zero on 2021-11-10

[$TBD][1272250] Medium CVE-2022-0116: Inappropriate implementation in Compositing. Reported by Irvan Kurniawan (sourc7) on 2021-11-20

[$TBD][1115847] Low CVE-2022-0117: Policy bypass in Service Workers. Reported by Dongsung Kim (@kid1ng) on 2020-08-13

[$TBD][1238631] Low CVE-2022-0118: Inappropriate implementation in WebShare. Reported by Alesandro Ortiz on 2021-08-11

[$TBD][1262953] Low CVE-2022-0120: Inappropriate implementation in Passwords. Reported by CHAKRAVARTHI (Ruler96) on 2021-10-25

Stable Channel Update for Desktop

The Chrome team is delighted to announce the promotion of Chrome 97 to the stable channel for Windows, Mac and Linux. This will roll out ove...

chromereleases.googleblog.com

 

[Gandalf_The_Grey]

Chrome 97 for Windows boosts Security and Memory

Google has released Chrome 97 for Windows, Mac, Linux and is avialable with new features, improvements, and bug fixes. The version, specifically on the Windows platform, improves security with the Control Flow Guard feature. If you’re using multiple profiles, Chrome saves memory and system resources by removing profiles from memory when their windows are closed.

Control Flow Guard:
Finally, Google has launched Control Flow Guard (CFG) for Chrome on Windows with version 97. The feature makes memory corruption vulnerabilities tough to exploit.

However, the feature might cause issues with software that injects code into the Chrome process space. Data Loss Prevention Software can be given as one example for such software.

Manage Search engines Settings page getting improved:
As we reported before, Chrome to provides greater control over site search, and the company has redesigned the Manage Search engines page to address various issues.

You should note, Site Search has been renamed to Manage search engines and Site search.

Chrome no longer automatically activates a site that works with site search and is compliant with OpenSearch Spec.

Users can manually activate such sites by visiting settings > Manage search engines and site search >inactive shortcuts> Activate.

Note: This feature is still being tested by Google in Chrome.

Chrome removes profiles when windows are closed going forward to improve memory:
Till now, when you close a Chrome browser windows, the profile kept loaded in memory and continues to use system resources and run background tasks like sync and extension scripts. This won’t happen when you exit Chrome completely.

Google is jumping in to save memory and system resources when you close Chrome profiles.

Chrome now removes profiles from memory when Windows are closed.

So if you use more than one profile for work and personal needs, you may find Chrome less resource-intensive.

As Google announced previously, Chrome web Store will not accept Manifest v2 extensions after January 17, 2022.

This version improves the Autofill feature. Users can preview Autofill entries more clearly within form fields. The new visual icons indicate what fields are going to be filled.

After Desktop, Chrome has enabled certificate transparency on Android for some users.

Starting Chrome 97, Chrome displays a brief description of the website in page info aka Site information UI.

For this feature to work, the “Make searches and browsing better” Setting needs to be enabled in “Sync and Google services” under “You and Google”. The “About this site” feature may not appear to all users.

Chrome 97 for Windows boosts Security and Memory

Google has released Chrome 97 for Windows, Mac, Linux and is avialable with new features, improvements, and bug fixes. The version, specifically on the Windows platform, improves security with the Control Flow Guard feature. If you’re using multiple profiles, Chrome saves memory and system...

techdows.com

 

[Sammo]

The Stable channel has been updated to 97.0.4692.99 for Windows, Mac and Linux.
Stable Channel Update for Desktop