Google has released a security update for its Chrome and Android desktop browsers. The update brings Chrome’s stable channel version to 103.0.5060.134 on desktop and 103.0.5060.129 on Android.
The security update is already available. Most Chrome browsers will receive the update automatically, thanks to the built-in auto-update feature. Chrome users can speed up security update installation on desktop versions of Chrome by loading chrome://settings/help in the browser’s address bar.
The current version is displayed on the page and Chrome runs an update check to see if a new version is available. If not already installed, Chrome will download and install the security update. A reboot is required to complete the upgrade. The Android version of Chrome does not support such an option, as updates are distributed exclusively through Google Play.
Google Chrome Security Fixes 103
Google posted a post on the Chrome Releases blog to let Chrome users and admins know about the update. The blog post confirms that 11 different security issues are fixed in the new version of Chrome. Six of them, all reported by third-party researchers, are specifically mentioned on the blog. Google does not list the security issues it has found internally on the blog.
The maximum severity rating of the 11 security issues is high, the second highest after critical. Here is the full list as reported by Google:
- [$16000] High CVE-2022-2477: Free to use in guest view. Reported by anonymous on 06/14/2022
- [$7500] High CVE-2022-2478: Use after free in PDF. Reported by triplepwns on 2022-06-13
- [$3000] High CVE-2022-2479: Insufficient validation of untrusted entries in file. Reported by anonymous on 2022-05-28
- [$NA] CVE-2022-2480: Use after free in Service Worker API. Reported by Sergei Glazunov of Google Project Zero on 2022-06-27
- [$TBD] High CVE-2022-2481: use after free in views. Reported by YoungJoo Lee (@ashuu_lee) of CompSecLab at Seoul National University on 2022-07-04
- [$7000] Low CVE-2022-2163: Free to use in Cast UI and toolbar. Reported by Chaoyuan Peng (@ret2happy) on 2022-03-21
Google makes no mention of attacks in the wild. It is always recommended to update Chrome to the latest version as soon as possible.
Google released the first version of Chrome 103 earlier this month; this update included a fix for a 0-day vulnerability that was being exploited in the wild.
Now you: do you use Google Chrome?