Follow us

Chrome has updated to ‘Chrome 95’ closing 19 Security Holes

Chrome has just released a stable channel update for the desktop, introducing several features closing 19 security holes

Updated: October 22, 2021 By Ozair Malik

The title image shows a Phone displaying the Chrome

Image source – freepik.com

Google Chrome announced its recent update as ‘Chrome 95’ on Oct 19, 2021. This update is likely to roll out in the coming days.

This update, Chrome 95.0.4638.54, contains several fixes and improvements, including Secure Payment Confirmation, Eyedropper support, web app improvements, and more.

This update will be available immediately for Windows, macOS, and Linux. Chrome has launched this update just after a few weeks of the chrome 94 update, as some external researchers notified Google about security flaws.

The Update Installation

The users who have installed an older version of Google Chrome will automatically be notified about the updated availability. The users who do not want to wait long for the update can download the update by following these steps:

  • Open Chrome, tap on the three dots on the top right corner.
  • Click on the ‘Help,’ the second last option in the menu.
  • If you get an update, Click Restart to do so.

The users who don’t have Chrome installed can visit the official website and download the latest updated version.

The New Features

The new Chrome 95 has introduced a lot of features securing the user's experience. Some of the essential elements are

Secure Payment Confirmation

The goal of Google was to improve payment authentications across the web to make them more secure and organized.

For this purpose, the company has added a new payment extension to webAuthn, in which third parties such as banks can authenticate any requests made by traders during checkout in an online store.

The verification tab of online purchase by a merchant

Image source - github.com

Google says the motive behind the feature is to create the user authentication experience as "strong authentication with the user's bank is coming up as a requirement for online payments in many regions, including the European Union."

Google also stated that the proposed feature provides a better user experience and more robust security than existing solutions.

Web Apps Can Be Default Apps

In Chrome 95, Google allows web apps to register themselves as ‘URL handlers.’ This means that they can act more like native default apps. For example, clicking a link associated with a service can open the link in that service’s web app.

This task has been possible through other means for a while, but now it’s integrated directly in Chrome. As a user, the result is that web apps feel even more like “real” native apps.

Microsoft implemented it in Edge a while ago after Google first started testing this in Chrome 93.

Color Eyedropper Tool Support

Google is introducing a new EyeDropper API to the desktop version of Chrome. This will allow web applications to offer their own eyedropper tools.

An eyedropper tool allows picking a color from an image and helps to construct custom color pickers. This feature is already available in some applications like PowerPoint and Photoshop.

Save Tab Groups

Chrome 95 added a new feature to save the tab groups. That means that you will create a Tab Group like usual, but now you have the option to save the group.

So whenever you want to reaccess the group, it will be much easier. This feature has become a standard feature across web browsers.

Other Features

Some of the few changes are

  • Google has already removed FTP support in chrome 88, but now Chrome is removing support for FTP URLs.
  • Google wants to lessen the number of entry points for web applications to access your file system. Their motive is to replace its file system access API with storage foundation API.
  • The new UI has made it easier to search a file in the command Menu.

Major Security Holes

Security is one of the prime concerns, especially about web browsing; the significant upgrade of the chrome 95 was the nineteen security fixes.

External researchers found these fixes and then reported them to Google. Some of them are discussed here.

  • CVE-2021-37981: Heap buffer overflow in Skia Reported by Yangkang (@dnpushme)

The Vulnerability risk is high, and it allowed a remote attacker to exploit heap corruption via a crafted HTML page potentially before 84.0.4147.89 buffer overflow in Skia in Google Chrome.

  • CVE-2021-37983: Use after free in Dev Tools. As reported by Zhihua Yao

The vulnerability risk is medium, and it allows a remote attacker to compromise a vulnerable system.

The vulnerability exists due to a use-after-free error within the Dev Tools component in Google Chrome.

The vulnerability risk is medium, allowing a remote attacker to gain access to sensitive information.

The vulnerability exists due to a boundary condition within the Web Audio component in Google Chrome.

  • CVE-2021-37993: Use after free in PDF Accessibility. Reported by Cassidy Kim

The vulnerability risk is medium, and it allows a remote attacker to compromise a vulnerable system.

The vulnerability exists due to a use-after-free error within PDF Accessibility in Google Chrome.

The Updates History

Google Chrome was updated continuously by short intervals. It seems Chrome released its update just after two weeks as Chrome 94 was released in mid-September, and similarly, chrome 93 was released in August. Google also has announced the following dates of its updates.

Google appreciates and also pays the researchers that are the reason behind many bug findings and, respectively, the updates.

Tags: 
News
Author
Ozair Malik
A passionate Cyber Security researcher and writer with a keen interest in Digital Forensics. A community worker running a insta blog to raise cybersecurity awareness among laymen.

Leave a comment

click to select