Google has released its Chrome browser in the new major version 105. The developers have closed 24 vulnerabilities in the browser, one of which is classified as critical.
With Chrome 105.0.5195.52/53/54 for Windows (105.0.5195.52 for macOS and Linux), Google brings its web browser into the 105 generation. In the new main version, the developers have eliminated 24 vulnerabilities. Options for manipulating the clipboard are currently the subject of discussion.
In the Chrome Release Blog, Prudhvikumar Bommana lists those 21 of the 24 fixed vulnerabilities that were discovered by external researchers and reported to Google. A 0-day gap is not included. However, Google classifies one of the vulnerabilities (CVE-2022-3038 in the Network Service) as critical and another eight as high risk. Many are use-after-free vulnerabilities in various browser components, such as WebSQL, Layout, and PhoneHub. Nine gaps are considered medium and three are considered low risk.
▶The latest security updates
So far, Google has awarded the outside researchers $62,500 in awards. As always, Google has not published any details about the internally found security gaps. As a rule, Chrome updates itself automatically when a new version is available. With
Help » About Google Chrome
you can trigger the update check manually.
Read and write access to the clipboard
A vulnerability that affects all Chromium-based browsers (Chrome, Edge, Opera, Brave, Vivaldi and others) is currently being discussed (not only) among Chromium developers. It is currently possible for a website to read content from the clipboard and write new content to it – possibly without requiring user interaction that can be interpreted as qualified consent. With a bit of criminal energy, scenarios can be implemented in which a fraudulent website could replace credit card or account data that a user wants to transfer to a web form via the clipboard. What a secure solution could look like that does not violate existing interface specifications (API specs) is still the subject of discussion.
Other Chromium-based browsers
The manufacturers of other Chromium-based browsers are now being asked to follow suit with appropriate updates. Microsoft Edge 104.0.1293.70, Brave 1.42.97, Vivaldi 5.4.2753.40 and Opera 90.0.4480.54 are based on the current Chromium version 104.0.5112.102 (or something newer). At Vivaldi it remains to be seen whether the current practice of omitting odd Chromium main versions (like 105) and instead using the Extended Stable Channel to close security gaps in the meantime will remain. In the Extended Stable Channel, Google made version 104.0.5112.111 available at the same time as Chrome 105, but without stating whether and which vulnerabilities were fixed in it.
Chrome 105.0.5195.68 for Android and Chrome 105.0.5195.69 for iOS have also been released. Google will release Chrome 106 on September 27th.
Chromium-based browsers at a glance: