May 26 update below. This post was originally published on May 25th
Many people consider the regular discovery and patching of product vulnerabilities as a sign of poor security; I am not one of them. I’ve always said that I would much prefer these security flaws to be discovered, whether it’s through internal teams, bug bounty platforms, or independent researchers, rather than not finding them. Vendors who patch regularly and transparently show a strong rather than weak security stance. Certainly, in an ideal world, the software would be free from any bugs and hackers would not be able to find creative ways to exploit the code. This is not a perfect world, in case you missed it. In this regard, Google does a good job from a security perspective, and the latest Chrome update version 102 is a great example of that in action.
However, recently published research from Who? In the UK it claims that in another area of web browser security, phishing protection, Google doesn’t have much to be proud of.
Which? The report claims that Google Chrome is behind when it comes to protecting the browser from phishing
Google Chrome is by far the most popular web browser in the world, no matter what metric you use to come to that conclusion. With over 3 billion users and a desktop market share of 65% (Safari ranks second with just 9%), Chrome is the undisputed champion of the browser. But and which? Report It seems to claim to be well and truly left out by Apple Safari, Microsoft Edge, Mozilla Firefox, and Opera when it comes to one security metric: detecting and blocking phishing sites. The claim that it has to be said, Google itself objects.
The report was based on testing the most popular web browsers by trying to visit a total of “800 newly discovered sites very soon after they were first discovered,” according to Michael Basingham, senior researcher at Which? This appears to be in order to test how well browsers can handle the latest phishing threats from sites that haven’t yet appeared in the databases of these things.
The results varied depending on the platform, so the results were divided into categories for Windows and Mac: Google Chrome p[laced last in each. The percentages are shown below, representing the proportion of those phishing sites that the browsers prevented the user from opening.
- 85% Mozilla Firefox
- 82% Microsoft Edge
- 56% Opera
- 28% Google Chrome
- 78% Mozilla Firefox
- 77% Apple Safari
- 56% Opera
- 25% Google Chrome
What Google says about the Which? phishing test results
I reached out to Google which supplied me with the following statement:
“This study’s methodology and findings demand scrutiny. For more than 10 years, Google has helped set the anti-phishing standard — and freely provided the underlying technology — for other browsers. Google and Mozilla often partner to improve the security of the web, and Firefox relies primarily on Google’s Safe Browsing API to block phishing – but the researchers indicated that Firefox provided significantly more phishing protection than Chrome. It’s highly unlikely that browsers using the same technology for phishing detection would differ meaningfully in the level of protection they offer, so we remain sceptical of this report’s findings.”
What does a phishing awareness expert say?
“Depending on the methodology and techniques used, the results of how browsers detect and block phishing attacks can vary,” Javvad Malik, lead security awareness advocate at anti-phishing specialists KnowBe4, said. “However, it’s worth bearing in mind that like many threats, phishing cannot be prevented with just one control, and perhaps due to the nature of phishing attacks, technology alone will never be fully effective. Therefore, it’s vitally important to provide users with timely and relevant security awareness and training so that they can be better placed to identify phishing attacks and report them to their security teams.”
Google Chrome 102 update fixes 32 new security vulnerabilities
The good news for the estimated 3.2 billion users of Google’s Chrome web browser is that, as far as we know, there are no new zero-day attacks ongoing against them. However, according to the latest confirmation from Google, a total of 32 new security vulnerabilities have been discovered that impact the Chromium-based browser. Of these, one has a critical impact status, eight are rated high and a further nine are medium.
This is one big, and very important, security update for all Chrome users across Windows, Mac, and Linux platforms. There is also an update rolling out for the Android Chrome app, but this appears not to be security-related as Google has only pointed to “stability and performance” issues in the release announcement.
What are the most important Google Chrome vulnerabilities to be disclosed?
So, what do we know about the May 24 Google Chrome update, which takes the browser to version 102.0.5005.61 for Mac and Linux users and either 102.0.5005.61 62 or 63 for Windows users. After ensuring my copy on Windows 11 was updated (details below) it is showing as version 102.0.5005.63, but your mileage could vary it seems.
Ok, so are those details of the most important vulnerabilities that have been fixed by this security update.
- CVE-2022-1853 is a critical-rated ‘use after free’ vulnerability impacting IndexedDB, a feature that allows fast access to structured data.
- CVE-2022-1854 is a high-rated ‘use after free’ vulnerability in the ANGLE graphics engine abstraction layer.
- CVE-2022-1855 is a high-rated ‘use after free’ vulnerability in messaging.
- CVE-2022-1856 is a high-rated ‘use after free’ vulnerability in the user education function.
- CVE-2022-1857 is a high-rated vulnerability concerning insufficient policy enforcement in the file system API.
- CVE-2022-1858 is a high-rated ‘out of bounds’ vulnerability impacting DevTools.
- CVE-2022-1859 is another high-rated ‘use after free’ vulnerability, this time within the performance manager.
- CVE-2022-1860 is yet another high-rated ‘use after free’ vulnerability, this time within UI foundations.
- CVE-2022-1861 rounds up the high-rated vulnerabilities, a ‘use after free’ one impacting sharing.
The remaining vulnerabilities, not all of which have been assigned Common Vulnerabilities and Exposures (CVE) numbers, may not be as serious in terms of impact but go towards completing what is another huge security update from Google.
Why, and how, you should update now
As always, it is recommended that you force the Chrome security update as soon as you can. While it will be rolling out over the coming days and weeks, as Google always says, given the nature of the security vulnerabilities that are covered, it’s a good idea not to wait. Simply by heading for the Help|About option in your Google Chrome menu is all it takes to get the process going. This forces Chrome to check for, and download, any updates. What is vital, though, is that you restart the browser to ensure the update has been implemented and is protecting you from potential harm.