Google has just released the stable version of Chrome 104, which fixes seven high-severity flaws and 15 medium-severity flaws. The new version is for Windows, Mac and Linux. 27 security vulnerabilities reported by third parties have been fixed in total.
None of these flaws are listed as being actively exploited, but the patch notes accompanying the update have a few notable fixes. Although little described, these high-severity flaws affect the Omnibox (Chrome’s address bar), Google’s Safe Browsing online protection, the WebGPU Dawn implementation and the Nearby Share function, which allows sharing of files between Chromebook and Android, like Apple’s AirDrop.
There’s also an interesting medium-severity side-channel data leak issue affecting Chrome’s keyboard input, discovered by Erik Kraft and Martin Schwarzl of Graz University of Technology (Austria). They are not strangers. Graz TU researchers played a pivotal role in uncovering Meltdown and Specter CPU side channel attacks in 2018.
Use after free in shambles
Google also awarded $15,000 to an anonymous researcher for the Omnibox “use after free” memory-related issue, tracked as CVE-2022-2603.
Safe Browsing in Chrome was also affected by a high-severity “use after free” issue (CVE-2022-2604), and a medium-severity issue caused by insufficient validation of untrusted inputs (CVE-2022-2622 ). Safe Browsing is used by Chrome and other browsers to show users a warning before they visit a dangerous website or download a malicious application.
A high-severity issue was reported by Nan Wang and Guang Gong of Qihoo 360’s 360 Alpha Lab on June 10. They also reported a high severity issue also of “use after free” in Chrome’s Managed devices API (CVE-2022-2606) and a medium severity issue of identical nature in Chrome’s WebUI (CVE- 2022-2620).
The flaw in Chrome’s Nearby Share feature was also a “use after free” flaw (CVE-2022-2609).
Voluntary Withholding of Information
Details about the vulnerabilities are purposely sparse, as Google restricts access to them “until a majority of users have updated with a patch.” He can also restrict access to this information if the bug exists in a third-party library that other projects depend on, and which has not yet been fixed.
An important security-related change in Chrome 104 is the removal of the U2F API, Chrome’s original security key API, which has been replaced by the new Web Authentication (WebAuthn) API. WebAuthn became an official W3C standard in 2019, by which time it had already been implemented in all major browsers as well as Windows and Android.
Websites will need to migrate to the WebAuthn API
U2F USB two-factor authentication security keys are supported by WebAuthn, so are not affected by the change, but websites will need to migrate to the WebAuthn API. This change should come as no surprise to web developers, as Google has been warning them for two years.
“U2F never became an open web standard and was subsumed by the Web Authentication API (launched in Chrome 67). Chrome never directly supported the FIDO U2F JavaScript API, but instead provided a component extension called cryptotoken… U2F and Cryptotoken are in maintenance mode and have encouraged sites to migrate to the Authentication API web over the past two years,” Google explains in a recent blog post.
Google has also released Chrome 104 to its new extended stable channel for Windows and Mac.
Source: ZDNet.com