Google has released a security update for its Chrome desktop and Android browsers. The update brings the stable channel version of Chrome to 103.0.5060.134 on the desktop, and to 103.0.5060.129 on Android.
The security update is already available. Most Chrome browsers will receive the update automatically, thanks to the built-in automatic updating functionality. Chrome users may speed up the installation of the security update on desktop versions of Chrome by loading chrome://settings/help in the browser’s address bar.
The current version is displayed on the page and Chrome runs a check for updates to find out if a new version is available. If not installed already, Chrome will download and install the security update. A restart is required to complete the upgrade. The Android version of Chrome does not support such an option, as updates are distributed exclusively via Google Play.
Google Chrome 103 security fixes
Google published an article on the Chrome Releases Blog to inform Chrome users and administrators about the update. The blog post confirms that 11 different security issues are patched in the new Chrome release. Six of these, all reported by third-party researchers, are mentioned specifically on the blog. Google does not list security issues that it found internally on the blog.
The maximum severity rating of all 11 security issues is high, the second highest after critical. Here is the full list as reported by Google:
- [$16000] High CVE-2022-2477 : Use after free in Guest View. Reported by anonymous on 2022-06-14
- [$7500] High CVE-2022-2478 : Use after free in PDF. Reported by triplepwns on 2022-06-13
- [$3000] High CVE-2022-2479 : Insufficient validation of untrusted input in File. Reported by anonymous on 2022-05-28
- [$NA] High CVE-2022-2480 : Use after free in Service Worker API. Reported by Sergei Glazunov of Google Project Zero on 2022-06-27
- [$TBD] High CVE-2022-2481: Use after free in Views. Reported by YoungJoo Lee(@ashuu_lee) of CompSecLab at Seoul National University on 2022-07-04
- [$7000] Low CVE-2022-2163: Use after free in Cast UI and Toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
Google makes no mention of attacks in the wild. It is still recommended to update Chrome to the latest version as soon as possible.
Google released the first Chrome 103 release earlier this month; this update included a fix for a 0-day vulnerability that was exploited in the wild.
Now You: do you use Google Chrome?