Governance & Risk Management , IT Risk Management , Patch Management
Google to Patch 8 Chrome Flaws, Including a Zero-DayCompany Also Plans to Upgrade All Page Loads to HTTPS
Google will soon release a security update to address eight vulnerabilities in its Chrome browser, including a high-severity zero-day flaw that's being exploited in the wild.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
Google also plans to offer "HTTPS-First Mode," which is intended to upgrade all Chrome page loads to HTTPS and display a full-page warning before loading sites that don’t support it.
The Chrome 91.0.4472.164 security update addressing the eight flaws will be issued "over the coming days/weeks" for browsers running on Windows, Mac and Linux devices, Google says in a blog post.
"Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild," the company says, referring to the zero-day. The vulnerability was reported anonymously on July 12.
Google did not immediately respond to Information Security Media Group's request for comment on the nature of the flaws and the risks they pose.
In addition to the zero-day, the Chrome update will address these flaws: CVE-2021-30559, CVE-2021-30541, CVE-2021-30560, CVE-2021-30564, CVE-2021-30561 and CVE-2021-30562.
Although the blog post says eight issues are addressed, it only lists fixes for seven flaws identified by external researchers. Google did not respond to ISMG's request for further details about the eighth flaw.
The announcement of the upcoming Chrome update comes months after the technology giant patched another zero-day vulnerability in Chrome.
Bid for Safer Browsing
Google is also preparing to update the Chrome browser with a protocol designed to upgrade all page loads to HTTPS, making internet browsing more secure, according to a separate blog post from the company.
The HTTPS-First Mode, scheduled for release Sept. 21 with version M94, will show a full-page warning for sites that don’t support HTTPS, it says.
"When a browser connects to websites over HTTPS (vs. HTTP), eavesdroppers and attackers on the network can't intercept or alter the data that's shared over that connection (including personal information, or even the page itself). This level of privacy and security is vital for the web ecosystem," the blog says.
The company says it also will reexamine the use of the lock icon in the URL bar of its browser.
Often users associate the lock icon with a site being trustworthy, when, in fact, it's only the connection that's secure, the blog post says.
"In a recent study, we found that only 11% of participants could correctly identify the meaning of the lock icon. To try and reduce this confusion, Chrome will run an experiment in M93 that replaces the lock in the address bar with a more neutral entry point to page info," the blog says.
"Importantly, a 'not secure' indicator will continue to show on sites without HTTPS support, and the experiment includes an enterprise policy in case organizations want to opt out. In all cases, we'll provide advance notice if we decide to move ahead with a full launch," Google says.
In November 2020, Mozilla introduced an HTTPS-Only mode in the Firefox 83 version of its browser.