Articles about Chrome security

Google has announced that it will release security updates for Chrome on a weekly basis, doubling the speed with which fixes are delivered to the stable channel.

This will not change the release schedule for significant new versions of Chrome, but it means that users of the browser can enjoy greater security. Google's change in pace is designed to reduce the "patch gap", with the company saying that it treats "all critical and high severity bugs as if they will be exploited".

Continue reading →

Visit a secure website (that is, one that loads over HTTPS) in Chrome, and you'll see a lock icon in the address bar. But this is set to change. Google has announced plans to remove the familiar padlock icon, providing a number of reasons for a decision that many users will regard as a step in the wrong direction.

Among the arguments in favor of removing the icon is that HTTPS is the norm rather than the exception, and that the simple fact a site uses a secure connection is in no way indicative of its inherent trustworthiness.

Continue reading →

Google has issued an emergency update for Chrome which should be installed as soon as possible to plug a vulnerability known to be under active exploitation. The update is available for Windows, macOS and Linux.

In releasing Chrome v112.0.5615.121 for desktop to the stable channel, Google addresses the high severity CVE-2023-2033 as well as issuing other fixes. Described as a "type confusion in V8 in Google Chrome", CVE-2023-2033 is being exploited in the wild, hence the need for the emergency patch.

Continue reading →

Whether you are running Windows, macOS or a Linux distro, if you're a Chrome user there is an extremely important update to install right now.

Google has released Chrome 105.0.5195.102 for all three platforms to address the vulnerability which is tracked as CVE-2022-3075. The security flaw, which relates to data validation in the Mojo runtime libraries, is known to have been exploited in the wild, so users are advised to actively seek out the update rather than waiting for Google to roll it out to everyone.

Continue reading →

Security researchers from a collection of US and international universities have revealed details of Spook.js, a worrying transient execution side channel attack that can be used to bypass Chrome's Strict Site Isolation.

Rolled out by Google in response to the Spectre security flaw, Strict Site Isolation is supposed to prevent unauthorized data theft. But the researchers found that malicious JavaScript code can be used to grab data -- such as passwords -- from other tabs. The attack has been found to affect Intel processors and Apple devices with M1 chips; AMD chips are also thought to be at risk, but this is yet to be fully demonstrated.

Continue reading →

A serious security vulnerability has been discovered in Chrome, forcing Google to push out an emergency update to the browser. Affecting the Windows, Mac and Linux versions of Chrome, the high severity vulnerability is being tracked as CVE-2021-21148.

Described as a "heap buffer overflow in V8", it is being actively exploited in the wild, although few details of the exploit are available. Because of the severity of the vulnerability, Google has released a fix and is urging everyone to install it.

Continue reading →