May 26 update below. This article was originally published on May 25
Many people equate the regular discovery and patching of product vulnerabilities as a sign of poor security; I am not one of them. I have always said that I would much rather see these security flaws being detected, whether by internal teams, bug bounty platforms, or independent researchers, than not being discovered. Vendors that patch regularly and transparently demonstrate a strong, not weak, security posture. Of course, in an ideal world, software would be bug-free and hackers wouldn’t be able to find creative ways to exploit the code. This is not, in case you missed it, an ideal world. In this regard, Google is doing a good job from a security perspective and the latest Chrome version 102 update is a great example of this in action.
However, recently published research from Which? in the UK says that in another area of web browser security, phishing protection, Google has much less to be proud of.
Who? report claims Google Chrome lags behind in browser phishing protection
Google Chrome is by far the most popular web browser in the world, no matter what metric you use to come to that conclusion. With more than 3 billion users and a 65% market share on desktop computers (Safari takes second place with just 9%), Chrome is the undisputed champion of browsers. But Which one? report seems to claim that it has indeed been eliminated by Apple Safari, Microsoft Edge, Mozilla Firefox and Opera when it comes to one security metric: detection and blocking of phishing sites. An assertion that it must be said, Google itself disputes.
The report was based on testing the most popular web browsers by attempting to visit a total of “800 newly discovered sites within a very short time of their first discovery”, according to Michael Passingham, principal researcher at Which? This appears to be in an effort to test how well browsers can deal with the latest phishing threats from sites that haven’t previously made it into databases of such things.
The results varied by platform, so the results were split into Windows and Mac categories: Google Chrome p[lacedlastineachPercentagesareshownbelowrepresentingtheproportionofthosephishingsitesthatthebrowserspreventedtheuserfromopening[lacedlastineachLespourcentagessontindiquésci-dessousreprésentantlaproportiondecessitesdephishingquelesnavigateursontempêchél’utilisateurd’ouvrir[lacedlastineachThepercentagesareshownbelowrepresentingtheproportionofthosephishingsitesthatthebrowserspreventedtheuserfromopening
- 85% Mozilla Firefox
- 82% Microsoft Edge
- 56% Opera
- 28% Google Chrome
- 78% Mozilla Firefox
- 77% Apple Safari
- 56% Opera
- 25% Google Chrome
What does Google say about Which? phishing test results
I contacted Google who provided me with the following statement:
“The methodology and results of this study demand careful scrutiny. For more than 10 years, Google has helped set the anti-phishing standard – and provided the underlying technology for free – for other browsers. Google and Mozilla often work together to improve web security, and Firefox primarily relies on Google’s Safe Browsing API to block phishing, but researchers reported that Firefox offered significantly better phishing protection than of Chrome. We remain skeptical of the findings of this report.”
What does a phishing awareness expert say?
“Depending on the methodology and techniques used, the results of browsers detecting and blocking phishing attacks may vary,” said Javvad Malik, senior security awareness advocate at anti-phishing specialists KnowBe4. “However, it should be kept in mind that, like many threats, phishing cannot be prevented with a single control, and perhaps due to the nature of phishing attacks, technology alone will never be fully effective. Therefore, it is extremely important to provide users with timely information and relevant security awareness and training so that they are in a better position to identify phishing attacks and report them to their teams. of security. “
Google Chrome 102 update fixes 32 new security vulnerabilities
The good news for the approximately 3.2 billion users of Google’s Chrome web browser is that, to our knowledge, there are no new zero-day attacks underway against them. However, according to the latest confirmation from Google, a total of 32 new security vulnerabilities have been discovered that affect the Chromium-based browser. Of these, one has a critical impact status, eight are rated high, and another nine are medium.
This is an important and very important security update for all Chrome users on Windows, Mac and Linux platforms. An update is also rolling out for the Android Chrome app, but that doesn’t appear to be security-related, as Google only flagged “stability and performance” issues in the update announcement. exit.
What are the top Google Chrome vulnerabilities to disclose?
So what do we know about the Google Chrome update on May 24, which upgrades the browser to version 102.0.5005.61 for Mac and Linux users and 102.0.5005.61 62 or 63 for Windows users. After making sure my copy on Windows 11 has been updated (details below) it shows as version 102.0.5005.63, but your mileage may vary it seems.
Ok, so are the details of the most important vulnerabilities that have been fixed by this security update.
- CVE-2022-1853 is a critical use-after-release vulnerability that affects IndexedDB, a feature that allows fast access to structured data.
- CVE-2022-1854 is a highly rated use-after-release vulnerability in the ANGLE graphics engine abstraction layer.
- CVE-2022-1855 is a highly rated “use after release” vulnerability in messaging.
- CVE-2022-1856 is a highly rated “use after release” vulnerability in the user education feature.
- CVE-2022-1857 is a high-level vulnerability for insufficient policy enforcement in the Filesystem API.
- CVE-2022-1858 is a highly rated “out of bounds” vulnerability that affects DevTools.
- CVE-2022-1859 is another highly rated use-after-release vulnerability, this time in Performance Manager.
- CVE-2022-1860 is yet another highly rated use-after-release vulnerability, this time in UI foundations.
- CVE-2022-1861 brings together the top rated vulnerabilities, “use after release” impacting sharing.
The remaining vulnerabilities, not all of which have been assigned Common Vulnerabilities and Exposures (CVE) numbers, may not be as severe in terms of impact, but are on the way to completing another huge update. Google security update.
Why and how to update now
As always, it is recommended to force security update Chrome as soon as possible. Although it will roll out over the next few days and weeks, as Google always says, given the nature of the security vulnerabilities covered, it’s a good idea not to wait. Just head to the Help | About your Google Chrome menu to start the process. This forces Chrome to check for and download all updates. What is essential, however, is that you restart the browser to ensure that the update has been implemented and protects you from potential harm.