Google has released Chrome version 104 for Windows, Mac and Linux, with fixes for 27 security bugs reported by third parties.
None of the flaws are listed as being actively exploited, but the release notes for Chrome 104 do contain a few notable, albeit sparsely described, fixes for high severity flaws that affect the Chrome ‘Omnibox’ (address bar), Google’s optional online protection Safe Browsing, the Dawn WebGPU implementation in Chrome, and Google’s Apple AirDrop-like Nearby Share feature for sharing files between Chromebook and Android devices.
There’s also an interesting medium severity side-channel information leakage issue affecting Chrome’s keyboard input, discovered by Erik Kraft and Martin Schwarzl of Graz University of Technology TU, Austria. Researchers from Graz TU were central to the discovery of Meltdown and Spectre CPU side-channel attacks in 2018.
Google awarded an anonymous researcher $15,000 for the Omnibox memory-related ‘use after free’ issue tracked as CVE-2022-2603.
Safe Browsing in Chrome was also affected by a high severity use after free (CVE-2022-2604), and a medium severity issue caused by insufficient validation of untrusted input (CVE-2022-2622).
Safe Browsing is used by Chrome and other major browsers to show users a warning before they visit a dangerous website or download a malicious app.
The high severity issue was reported by Nan Wang and Guang Gong of 360 Alpha Lab at Qihoo 360 on on June 10. The pair also reported a high severity use after free in Chrome’s Managed devices API (CVE-2022-2606), and a medium severity use after free in Chrome’s WebUI (CVE-2022-2620).
The flaw in Chrome’s Nearby Share feature was also a use after free flaw (CVE-2022-2609).
Details about the bugs are scant because Google restricts access to bug details in its release notes “until a majority of users are updated with a fix.” It also may restrict access if the bug exists in a third-party library that other projects depend on, but haven’t yet fixed.
An important security-related change in Chrome 104 is the removal of U2F API, the original security key API for Chrome, which has been replaced by the newer Web Authentication (WebAuthn) API. WebAuthn became an official W3C standard in 2019, by which time it had already been implemented in all major browsers as well as Windows and Android.
U2F USB two-factor authentication security keys are supported by WebAuthn, so aren’t affected by the change, but websites will need to migrate to the WebAuthn API. The change should come as no surprise to web developers as Google has been warning about the change for the past two years.
“U2F never became an open web standard and was subsumed by the Web Authentication API (launched in Chrome 67). Chrome never directly supported the FIDO U2F JavaScript API, but rather shipped a component extension called cryptotoken… U2F and Cryptotoken are firmly in maintenance mode and have encouraged sites to migrate to the Web Authentication API for the last two years,” Google explained in a recent blogpost.
Google has also promoted Chrome 104 to its new extended stable channel for Windows and Mac.