Seven ‘high’ and fifteen’medium’ severity issues have been fixed in Chrome 104 stable, which was just published by Google.
27 security flaws discovered by third parties have been addressed by Google in Chrome 104.
There is no indication that any of the flaws are currently being actively exploited, but the release notes for Chrome 104 do contain some notable, albeit sparsely described, fixes for high severity flaws that affect the Chrome ‘Omnibox’ (address bar), Safe Browsing, the Dawn WebGPU implementation in Chrome, and Google’s AirDrop-like Nearby Share feature for sharing files between Chromebook and Android devices.
It was revealed by Erik Kraft and Martin Schwarzl of Graz University of Technology TU in Austria that Chrome’s keyboard input has a medium severity side-channel information leaking vulnerability. 2018’s revelation of Meltdown and Spectre CPU side-channel threats was made possible by Graz TU researchers.
Google paid a researcher 15,000 for discovering the “use after free” bug in Omnibox’s memory, which was logged as CVE-2022-2603.
CVE-2022-2604 (high severity use after free) and CVE-2022-2604 (medium severity problem) were also found in Chrome’s Safe Browsing feature (CVE-2022-2622).
Chrome and other major browsers employ Safe Browsing to alert users before they visit a risky site or download a harmful programme.
On June 10, Nan Wang and Guang Gong of 360 Alpha Lab of Qihoo 360 identified a high-severity problem. Chrome’s Managed devices API (CVE-2022-2606) and Chrome’s WebUI (CVE-2022-2606) were also found to have high and medium severity uses after free, respectively (CVE-2022-2620).
An exploitable issue was found in Chrome’s Nearby Share function (CVE-2022-2609).
Only a few specifics are available about the problems, as Google says it won’t disclose them in its release notes until “the majority of users have been updated with a remedy.” If the defect is in a third-party library that other projects rely on but haven’t been patched, it may also limit access.
A major security-related change in Chrome 104 is that the U2F API, Chrome’s initial security key API, has been superseded with the newer WebAuthn API. After being adopted by all major browsers, Windows, and Android, WebAuthn was officially recognised by the World Wide Web Consortium (W3C) in 2019.
Since the WebAuthn API supports U2F USB two-factor authentication security keys, websites using them won’t need to make the switch. Google has been alerting site developers about the move for the last two years, so it shouldn’t come as a surprise.
Chrome 104 has also been elevated to the new extended stable channel for Windows and Mac, according to Google’s announcement.