- Mar 19, 2022
- 651
Google Chrome 100.0.4896.60 Stable Channel Update for DesktopI have updated Chrome 100 now
The Chrome team is delighted to announce the promotion of Chrome 100 to the stable channel for Windows, Mac and Linux. Chrome 100 is also promoted to our new extended stable channel for Windows and Mac. This will roll out over the coming days/weeks.
Chrome 100.0.4896.60 contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 100.
The Security Fixes are now added to the release notes:Google Chrome 100.0.4896.60 Stable Channel Update for Desktop
Stable Channel Update for Desktop
The Chrome team is delighted to announce the promotion of Chrome 100 to the stable channel for Windows, Mac and Linux. Chrome 100 is also pr...chromereleases.googleblog.com
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 28 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$7000][1292261] High CVE-2022-1125: Use after free in Portals. Reported by Khalil Zhani on 2022-01-29
[$5000][1291891] High CVE-2022-1127: Use after free in QR Code Generator. Reported by anonymous on 2022-01-28
[$5000][1301920] High CVE-2022-1128: Inappropriate implementation in Web Share API. Reported by Abdel Adim (@smaury92) Oisfi of Shielder on 2022-03-01
[$3000][1300253] High CVE-2022-1129: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2022-02-24
[$1000][1142269] High CVE-2022-1130: Insufficient validation of untrusted input in WebOTP. Reported by Sergey Toshin of Oversecurity Inc. on 2020-10-25
[$NA][1297404] High CVE-2022-1131: Use after free in Cast UI. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2022-02-15
[$TBD][1303410] High CVE-2022-1132: Inappropriate implementation in Virtual Keyboard. Reported by Andr.Ess on 2022-03-07
[$TBD][1305776] High CVE-2022-1133: Use after free in WebRTC. Reported by Anonymous on 2022-03-13
[$TBD][1308360] High CVE-2022-1134: Type Confusion in V8. Reported by Man Yue Mo of GitHub Security Lab on 2022-03-21
[$16000][1285601] Medium CVE-2022-1135: Use after free in Shopping Cart. Reported by Wei Yuan of MoyunSec VLab on 2022-01-09
[$7000][1280205] Medium CVE-2022-1136: Use after free in Tab Strip . Reported by Krace on 2021-12-15
[$5000][1289846] Medium CVE-2022-1137: Inappropriate implementation in Extensions. Reported by Thomas Orlita on 2022-01-22
[$2000][1246188] Medium CVE-2022-1138: Inappropriate implementation in Web Cursor. Reported by Alesandro Ortiz on 2021-09-03
[$TBD][1268541] Medium CVE-2022-1139: Inappropriate implementation in Background Fetch API. Reported by Maurice Dauer on 2021-11-10
[$TBD][1303253] Medium CVE-2022-1141: Use after free in File Manager. Reported by raven at KunLun lab on 2022-03-05
[$TBD][1303613] Medium CVE-2022-1142: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
[$TBD][1303615] Medium CVE-2022-1143: Heap buffer overflow in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-07
[$TBD][1304145] Medium CVE-2022-1144: Use after free in WebUI. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2022-03-08
[$TBD][1304545] Medium CVE-2022-1145: Use after free in Extensions. Reported by Yakun Zhang of Baidu Security on 2022-03-09
[$TBD][1290150] Low CVE-2022-1146: Inappropriate implementation in Resource Timing. Reported by Sohom Datta on 2022-01-23
Google’s Chrome browser has been updated to version 100, almost 14 years after it introduced the world to its clean design and all-encompassing “omnibox” in 2008. For most of its history, the search giant’s browser has gained a new version number roughly every six weeks, but last year the company switched to a four-week cycle to deliver new features more quickly. Google says the version 100 update is rolling out on stable channels now across Windows, Mac, Linux, Android, and iOS.
Chrome users who preferred tab muting over site muting had to install browser extensions such as Tab Muter or Smart Mute to bring back the functionality. Google added an experimental flag to the Canary version of the Chrome browser in early 2022 that restored the browser's tab muting capabilities.
The release of Chrome 100 to the Stable channel brings that experimental function to it as well. While it is still necessary to enable the feature on chrome://flags, doing so restores the ability to toggle audio with a click or tap on the audio icon of individual tabs.
Here is how you restore the functionality in Chrome 100 or newer:
All audio icons become switches that allow you to toggle audio on or off for that particular tab after the restart. Unlike the original tab muting feature, Chrome 100's will mute audio playback of the site and not just the tab. If you have two Twitch or YouTube videos open with audio playing in both, hitting the audio icon will mute both and not just the active one.
- Load chrome://flags/#enable-tab-audio-muting in the browser's address bar.
- Set the flag to Enabled using its menu.
- Restart the Google Chrome web browser.
Experimental flags may be removed at some point, but it would be strange if Google would remove this particular flag again after restoring it a few months earlier. Still, there is the possibility that the flag is removed and that tab audio muting is not enabled by default in Chrome.
The Stable channel has been updated to 100.0.4896.75 for Windows, Mac and Linux which will roll out over the coming days/weeks.
The Extended Stable channel has been updated to 100.0.4896.75 for Windows and Mac which will roll out over the coming days/weeks.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 1 security fix. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$NA][1311641] High CVE-2022-1232: Type Confusion in V8. Reported by Sergei Glazunov of Google Project Zero on 2022-03-30
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
The Stable channel has been updated to 100.0.4896.88 for Windows, Mac and Linux which will roll out over the coming days/weeks.
A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Security Fixes and Rewards
Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed.
This update includes 11 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$6000][1285234] High CVE-2022-1305: Use after free in storage. Reported by Anonymous on 2022-01-07
[$3000][1299287] High CVE-2022-1306: Inappropriate implementation in compositing. Reported by Sven Dysthe on 2022-02-21
[$3000][1301873] High CVE-2022-1307: Inappropriate implementation in full screen. Reported by Irvan Kurniawan (sourc7) on 2022-03-01
[$1000][1283050] High CVE-2022-1308: Use after free in BFCache. Reported by Samet Bekmezci @sametbekmezci on 2021-12-28
[$TBD][1106456] High CVE-2022-1309: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-07-17
[$TBD][1307610] High CVE-2022-1310: Use after free in regular expressions. Reported by Brendon Tiszka on 2022-03-18
[$TBD][1310717] High CVE-2022-1311: Use after free in Chrome OS shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-03-28
[$TBD][1311701] High CVE-2022-1312: Use after free in storage. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-03-30
[$TBD][1270539] Medium CVE-2022-1313: Use after free in tab groups. Reported by Thomas Orlita on 2021-11-16
[$TBD][1304658] Medium CVE-2022-1314: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-03-09
Well, I'm on Twitter at the "right" time, I guess. So, here is an emergency update issued by Google for an actively exploited zero day. If you run Chrome, you might want to update to v. 100.0.4896.127. Hope you guys don't mind.
The Stable channel has been updated to 100.0.4896.127 for Windows, Mac and Linux which will roll out over the coming days/weeks.
A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
This update includes 2 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$NA][1315901] High CVE-2022-1364: Type Confusion in V8. Reported by Clément Lecigne of Google's Threat Analysis Group on 2022-04-13
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.
Google is aware that an exploit for CVE-2022-1364 exists in the wild.
The advice from Edge for now is to turn on the enhanced security mode to help prevent the exploit:Good stuff. That means Edge will be effected too.
Yet another capability in Origin trials in Chrome 101 is the Attribution Reporting API. Google describes it as follows:
This API measures ad conversions (e.g. purchases) and attributes them to ad interactions without using cross-site persistent identifiers like third-party cookies. The API allows measurement through both event-level reports sent directly from the browser, and aggregatable reports which can be processed through a trusted service to create summary reports of attribution data.
[...] Currently, the web ad industry measures conversions via identifiers they can associate across sites. These identifiers tie information about which ads were clicked to information about activity on the advertiser's site (the conversion). This allows advertisers to measure ROI, and for the entire ads ecosystem to understand how well ads perform. Since the ads industry today uses common identifiers across advertiser and publisher sites to track conversions, these common identifiers can be used to enable other forms of cross-site tracking. This doesn’t have to be the case, though, especially in cases where identifiers like third party cookies are either unavailable or undesirable. A new API surface can be added to the web platform to satisfy this use-case without them, in a way that provides better privacy to users.
The Chrome team is delighted to announce the promotion of Chrome 101 to the stable channel for Windows, Mac and Linux.This will roll out over the coming days/weeks.
Chrome 101.0.4951.41 for Windows,Mac and Linux contains a number of fixes and improvements -- a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 101.
Security Fixes and Rewards
This update includes 30 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$10000][1313905] High CVE-2022-1477: Use after free in Vulkan. Reported by SeongHwan Park (SeHwa) on 2022-04-06
[$7000][1299261] High CVE-2022-1478: Use after free in SwiftShader. Reported by SeongHwan Park (SeHwa) on 2022-02-20
[$7000][1305190] High CVE-2022-1479: Use after free in ANGLE. Reported by Jeonghoon Shin of Theori on 2022-03-10
[$6000][1307223] High CVE-2022-1480: Use after free in Device API. Reported by @uwu7586 on 2022-03-17
[$5000][1302949] High CVE-2022-1481: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-03-04
[$NA][1304987] High CVE-2022-1482: Inappropriate implementation in WebGL. Reported by Christoph Diehl, Microsoft on 2022-03-10
[$NA][1314754] High CVE-2022-1483: Heap buffer overflow in WebGPU. Reported by Mark Brand of Google Project Zero on 2022-04-08
[$7500][1297429] Medium CVE-2022-1484: Heap buffer overflow in Web UI Settings. Reported by Chaoyuan Peng (@ret2happy) on 2022-02-15
[$7500][1299743] Medium CVE-2022-1485: Use after free in File System API. Reported by Anonymous on 2022-02-22
[$7500][1314616] Medium CVE-2022-1486: Type Confusion in V8. Reported by Brendon Tiszka on 2022-04-08
[$7000][1304368] Medium CVE-2022-1487: Use after free in Ozone. Reported by Sri on 2022-03-09
[$5000][1302959] Medium CVE-2022-1488: Inappropriate implementation in Extensions API. Reported by Thomas Beverley from Wavebox.io on 2022-03-04
[$2000][1300561] Medium CVE-2022-1489: Out of bounds memory access in UI Shelf. Reported by Khalil Zhani on 2022-02-25
[$2000][1301840] Medium CVE-2022-1490: Use after free in Browser Switcher. Reported by raven at KunLun lab on 2022-03-01
[$2000][1305706] Medium CVE-2022-1491: Use after free in Bookmarks. Reported by raven at KunLun lab on 2022-03-12
[$2000][1315040] Medium CVE-2022-1492: Insufficient data validation in Blink Editing. Reported by Michał Bentkowski of Securitum on 2022-04-11
[$1000][1275414] Medium CVE-2022-1493: Use after free in Dev Tools. Reported by Zhihua Yao of KunLun Lab on 2021-12-01
[$1000][1298122] Medium CVE-2022-1494: Insufficient data validation in Trusted Types. Reported by Masato Kinugawa on 2022-02-17
[$1000][1301180] Medium CVE-2022-1495: Incorrect security UI in Downloads. Reported by Umar Farooq on 2022-02-28
[$1000][1306391] Medium CVE-2022-1496: Use after free in File Manager. Reported by Zhiyi Zhang and Zhunki from Codesafe Team of Legendsec at Qi'anxin Group on 2022-03-15
[$NA][1264543] Medium CVE-2022-1497: Inappropriate implementation in Input. Reported by Abdulrahman Alqabandi, Microsoft Browser Vulnerability Research on 2021-10-29
[$500][1297138] Low CVE-2022-1498: Inappropriate implementation in HTML Parser. Reported by SeungJu Oh (@real_as3617) on 2022-02-14
[$NA][1000408] Low CVE-2022-1499: Inappropriate implementation in WebAuthentication. Reported by Jun Kokatsu, Microsoft Browser Vulnerability Research on 2019-09-04
[$TBD][1223475] Low CVE-2022-1500: Insufficient data validation in Dev Tools. Reported by Hoang Nguyen on 2021-06-25
[$NA][1293191] Low CVE-2022-1501: Inappropriate implementation in iframe. Reported by Oriol Brufau on 2022-02-02
In Chrome 101, users noticed that Google removed the hardware media key handling flag from the experimental page without adding an option to Chrome. Did Google pull the flag and decide to do away with the option?
It appears that this is not the case. According to this commit on the Chromium Gerrit site, Google plans to restore the flag in Chrome 102, out next month and extend the expiration date of the flag to Chrome 113.
Google notes in the commit that the experimental flag is popular, as it is the 10th most used custom flag in the browser.
Extend hardware-media-key-handling flag expiration
This flag is still the 10th most used custom flag on desktop and we have not yet figured out a good solution for making this an actual setting. Kicking the can for now.
Chromium developers plan to add the disabling of media keys as a setting in the browser, but they have not yet decided on how that is going to happen.
Chrome users who set the flag in previous versions of the web browser may restore it in Chrome 101 temporarily by enabling the "Temporarily unexpire M100 flags"; this restores flags that were removed in 101 if they existed in version 100 of the browser. Starting with Chrome 102, it is no longer necessary to keep that flag enabled as the official media key handling flag will be restored in that version of the browser.
Chrome Beta 102 landed last week, but we haven’t uncovered everything new in it just yet. As it turns out, the new version of Chrome makes it possible to reorder tabs with keyboard shortcuts on Mac and Windows. The feature was previously only available on Linux and is now finally making its way to all desktop versions of the browser, save for Chrome OS (or chromeOS, if you will).
While you can easily reorder tabs using your mouse (just drag and drop the tab in question left or right to slot it in the desired place), many power users prefer to do as much as possible using keyboard shortcuts. The logic for both Windows and macOS follows the same that was long introduced in Linux. To move a tab, you need to hit ctrl+shift and page up or page down, depending on which direction you want to move the tab. On the regular MacBook keyboard, page up or page down can be accessed by holding down the fn key and hitting arrow up or down, so you will in essence have to pair ctrl+shift+fn with arrow up or down. Many Windows laptops will require similar workarounds, depending on what keyboard layout they offer.
While we have only been able to confirm this new behavior on macOS, Redditor Leopeva64 (who tipped us about this) offers a screen recording that shows off the keyboard shortcut in use on Windows. Unfortunately, it doesn’t look like the keyboard shortcut is functional on Chrome OS just yet, where we haven’t been able to reproduce the shortcut under Dev version 102.0.4992.0.
The Stable channel has been updated to 101.0.4951.54 for Windows, Mac and Linux which will roll out over the coming days/weeks.
A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
The Stable channel has been updated to 101.0.4951.64 for Windows, Mac and Linux which will roll out over the coming days/weeks.
A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues.
Security Fixes and Rewards
This update includes 13 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information.
[$5000][1316990] High CVE-2022-1633: Use after free in Sharesheet. Reported by Khalil Zhani on 2022-04-18
[$3000][1314908] High CVE-2022-1634: Use after free in Browser UI. Reported by Khalil Zhani on 2022-04-09
[$3000][1319797] High CVE-2022-1635: Use after free in Permission Prompts. Reported by Anonymous on 2022-04-26
[$NA][1297283] High CVE-2022-1636: Use after free in Performance APIs. Reported by Seth Brenith, Microsoft on 2022-02-15
[$TBD][1311820] High CVE-2022-1637: Inappropriate implementation in Web Contents. Reported by Alesandro Ortiz on 2022-03-31
[$TBD][1316946] High CVE-2022-1638: Heap buffer overflow in V8 Internationalization. Reported by DoHyun Lee (@l33d0hyun) of DNSLab, Korea University on 2022-04-17
[$TBD][1317650] High CVE-2022-1639: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-04-19
[$TBD][1320592] High CVE-2022-1640: Use after free in Sharing. Reported by Weipeng Jiang (@Krace) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-28
[$5000][1305068] Medium CVE-2022-1641: Use after free in Web UI Diagnostics. Reported by Rong Jian of VRI on 2022-03-10
We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.