Google just gave its two billion Chrome users a brilliant (if long overdue) upgrade, but it doesn’t mask all of the controversial changes, security problems and data concerns which have worried users about the browser recently. And now Google has issued a new critical warning you need to know about.
Picked up by security specialist Sophos, (81.0.4044.113). Interestingly, at the time of publication, Google is also keeping the exact details of the exploit a mystery.
In a blog post, all Google divulges is the codename for the exploit (CVE-2020-6457) and a vague description: “Use after free in speech recognizer”. Do some digging, however, and you will find the exploit has been marked as ‘Reserved’ by the US government’s National Vulnerability Database.
Shedding some light upon this, however, is Sophos which explains:
“[I]n some cases, use-after-free bugs can allow an attacker to change the flow of control inside your program, including diverting the CPU to run untrusted code that the attacker just poked into memory from outside, thereby sidestepping any of the browser’s usual security checks or “are you sure” dialogs. That’s the most serious sort of exploit, known in the jargon as RCE, short for remote code execution, which means just what it says – that a crook can run code on your computer remotely, without warning, even if they’re on the other side of the world.”
If Sophos is right, it makes a lot of sense that Google would consider the exploit serious enough that it wants the details kept secret from potential hackers before most Chrome users have upgraded and are safe.
Chrome 81.0.4044.113 is rolling out for Windows, Mac and Linux right now. You can check your version of Chrome by clicking the three vertical dots in the top right corner of the browser then navigating to Help > About. As long as you are running this version (or above if you are reading this post at a later date) you are safe. If not, you must update urgently – something Chrome should prompt you to do on its About page.
And here’s the upside: if your version of Chrome is out of date, you’re not only vulnerable to potential attack, you’re also likely to be missing out on Tab Groups, Google’s brilliant new tab organisation feature. So, in this case, protecting yourself also comes with an upside.