March 1, 2022 Google announced a series of “high” security fixes as part of its “rapid” response to keep users safe from harm, which are being registered in some quarters as a critical upgrade to version 99.0.4844.51.
This update includes 28 security fixes.
CIS reported it this way, telling government and businesses to treat it as a HIGH risk situation.
Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:
CVE-2022-0789: Heap buffer overflow in ANGLE
CVE-2022-0790: Use after free in Cast UI
CVE-2022-0791: Use after free in Omnibox
CVE-2022-0792: Out of bounds read in ANGLE
CVE-2022-0793: Use after free in Views
CVE-2022-0794: Use after free in WebShare
CVE-2022-0795: Type Confusion in Blink Layout
CVE-2022-0796: Use after free in Media
CVE-2022-0797: Out of bounds memory access in Mojo
CVE-2022-0798: Use after free in MediaStream
CVE-2022-0799: Insufficient policy enforcement in Installer
CVE-2022-0800: Heap buffer overflow in Cast UI
CVE-2022-0801: Inappropriate implementation in HTML parser
CVE-2022-0802: Inappropriate implementation in Full screen mode
CVE-2022-0803: Inappropriate implementation in Permissions
CVE-2022-0804: Inappropriate implementation in Full screen mode
CVE-2022-0805: Use after free in Browser Switcher
CVE-2022-0806: Data leak in Canvas
CVE-2022-0807: Inappropriate implementation in Autofill
CVE-2022-0808: Use after free in Chrome OS Shell
CVE-2022-0809: Out of bounds memory access in WebXR
Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data.
The roll-out from Google was almost immediate for Linux and Windows users, yet days later some Apple users still are waiting to get the new version.
As of right now, macOS shows version 98 as current.
This seems worth raising publicly as Google has been very loudly trying to shame Apple for being slow in its own browser updates, yet clearly Google is being slow in its browser updates for Apple users.
I’m not seeing anyone reporting this as Google not patching Apple systems, and that’s not even to get into an exploit in the wild for Chrome 98 (prior version).
At this point it seems safer for Apple users to remove the insecure version of Chrome than to run it after public disclosure of the vulnerabilities, no?