Chrome's Latest Update: 30 Security Fixes and Bug Details Kept 'Restricted'

Hot Hardware warns that on Tuesday, the Stable Channel for Chrome's desktop edition "had an update on April 26, 2022. That update includes 30 security fixes, some of them so bad that Google is urging all users to update immediately." The release notes for Google's Chrome v101.0.4951.41 for Windows, Mac, and Linux has a long list of bug fixes; you can view it here. However, there's also a key statement in that page.

"Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed...."

Effectively the the non-developer translation of the quote above is that something so significant was found, the details are being kept hidden.

Oh good

[slashmydots]

So word on the street is they're keeping the flaws under wraps for other Chrome-based software. I am SOOO glad Discord is based on Chromium instead of, you know, asking a first year programming student to make a basic text messaging service as a weekend assignment. Just like I'm SOOO glad that a billion dollars or whatever later, they STILL haven't hired a crew of programmers...or one programmer...or a chimpanzee to write a basic featured text messaging app that doesn't use scripts and HTML5. Really no excu

Re:

[black3d]

This seems a little misdirected. You don't need to use the Discord app - it will work through the browser of your choice. If there's an issue with that because the app provides some feature you don't get through the browser, then it suggests you're not after a 'basic text messaging app', but something a lot more - which is what Discord is. It's the very fact that it's NOT a static, refresh-requiring, non-scripted, text messaging app is what makes it a product.

You're kinda making a "have your cake and eat

Re:

[Khyber]

Discord is based off Electron. If there's a vulnerability in Chrome, Discord will have it as well as Electron is a subset of the Chrome APIs.

Do you even know what you're talking about? Doesn't look like it.

Re:

[black3d]

The desktop app is, which is why the very first sentence dealt with 'so don't use the app - you can still use Discord'. I'm not aware how these bugs in Chrome would impact my system using Discord via Firefox. SpiderMonkey's not going to fall over because there's a bug in Electron. (Or it may, but rather, that would point to a flaw in Warp/SpiderMonkey).

But besides that, the main point of the post was the fact that you can't have Discord without scripting; the very thing OP is lamenting, that they should ha

Re:

[Khyber]

Nothing of what Discord does requires scripting. We had all this garbage waaaay back in the days of pIRCh98 (including built-in video chat server.)

Re:

[black3d]

Oh wow, claiming running executable software is somehow less intrusive? You're still talking as if Discord is a standalone piece of software. It runs through a browser. You can get the desktop app if you wish to run it independently to your browser (which also adds the ability to have non-focused voice recording), but you don't need to run the Electron-based desktop app to access the service.

Your first statement is wrong. To run through a non-specialised browser, Discord requires scripting. Discord wouldn'

Re:

[Slashdot Junky]

Back in the day, we also didn't need Macromedia Flash since image presentation and animation was still possible without it for desktop applications. Electron and other browser based runtimes are for people that can't or won't develop for platforms beyond the web before delivering a product for the desktop or another OS. Instead, they just stuff their HTML, CSS, and slow ass JavaScript in a resource heavy, kitchen sink having framework. Lightweight, purpose specific applications are still possible and eve

Re:

[black3d]

100%, but he's comparing pirch to Discord in terms of functionality and saying "pirch didn't need scripting [therefore Discord shouldn't]", whereas the difference is, one's running in a non-specialised browser (Discord, requiring scripting for functionality), and one's specialised software (pirch, perhaps not requiring scripting, but rather requiring an entirely executable software solution). Thus, the comparison of "we didn't need scripting for animations back in the day, we had Flash", likewise, requiring

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Oh good

[drinkypoo]

And if its the usability and features you have a problem with, then don't use Discord

That's often not an option because support features for many games now require Discord. There is literally no other way to seek support. Consequently a whole bunch of people have been roped into using it who had no interest in it whatsoever.

Re:

[black3d]

Fair enough, but in that case, you can just use Discord through your browser and completely avoid everything he's complaining about in his post. Discord existing, as a service which doesn't even require Chromium (although one can optionally use the standalone app which is built on Electron), is not the reason for anything Google's doing. It's misdirected hate in the context under discussion. I get the feeling he hates Discord for another reason, but he doesn't really elaborate. But since using the desktop a

Re:

[arglebargle_xiv]

Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed...

Tagon: Your ideas tend to result in unnecessary violence, Sergeant Schlock.

Schlock: And your point is...

Tagon: Let's broaden the definition of "necessary".

Do you think?

[puddingebola]

Do you think this was like a lesson in browser security 101 for Google?

The story is partially clickbait. Nine criticals

[raymorris]

The lesson here is recognizing click bait when you see it. Google *always* says users should install the latest updates. Every time they post an update, certain sites proclaim "Google begs Chrome users to update". We see the same headline here on Slashdot every few months. For example, the March 16th bug was bigger issue than than this one, from what I've seen.

Every month I do a series of presentations covering the new security vulnerabilities and updates for the month. One thing I consider is the CVSS scores of each. CVSS measures how critical a vulnerability is based on several factors. Every month, there are 5-15 critical (CVSS higher than 9.0 or above) vulnerabilities in Windows. Every month.

For example, last month's Windows updates had 120 vulnerabilities, of which NINE were critical. Nine.

https://krebsonsecurity.com/20... [krebsonsecurity.com]

Sometimes there are similarly rated vulnerabilities in Chrome. It's not the end of the world. It's monthly patching, just like every month. You patch, or double-check that you have automatic updates turned on, then go on with your day.

Currently there are nine critical vulnerabilities in Windows and one in Chrome. So install updates for both and enjoy the rest of your day.

If you aren't freaked out about the 120 vulnerabilities (nine critical) in Windows, don't freak out about the one in Chrome either. Just update and go on with your day.

Re:

[kmoser]

Currently there are nine known critical vulnerabilities in Windows and one in Chrome.

FTFY.

Re:

[gweihir]

No. Google does not care about browser security. They do only so much as to not endanger their business model (selling ads).

Re:

[ArmoredDragon]

I think Chrome is a big part of their ad strategy, otherwise they wouldn't even bother with it as it surely costs them a ton of money to maintain. Likewise, if people don't use it because of security issues, then that won't help their business model will it?

Google normally hides details for about 90 days

[tech-law-ny]

"Access to bug details and links may be kept restricted" just means that the April 26 post is no different from almost every other "Stable Channel Update for Desktop" post over the past several years. When the post first appears, readers don't have permission to view the linked crbug.com pages. Then, about 90 days later, most or all of the crbug.com pages become readable. You can look at https://chromereleases.googleb... [googleblog.com] as an example. If you click on the 1263457 crbug.com link, it now reaches a readable page on bugs.chromium.org - namely, the https://bugs.chromium.org/p/ch... [chromium.org] page. Near the bottom, it says "This bug has been closed for more than 14 weeks. Removing security view restrictions." In other words, details were hidden from mid-December until mid-March. The April 26 bug content would normally be scheduled to become fully public around late July / early August.

A bit too large

[stikves]

No software is bug free. However web browsers have become essentially separate operating systems of their own. They not only handle user interface and networking, but they also have virtual machines, memory management, task schedulers, I/O and access mechanisms, USB and other hardware drivers and whatnot.

Looking at Chromium:
https://github.com/chromium/ch... [github.com]

And Linux Kernel mirrors:
https://github.com/torvalds/li... [github.com]

It looks like Chromium receives 2x code updates than the Linux kernel.

Of course some bugs are bound to happen. Shall we "shrink" the browsers? I am not sure, that ship might have sailed. But we should be ready to see more updates like this in the future, not less.

Re: A bit too large

[LindleyF]

https://xkcd.com/1367/ [xkcd.com]

Re:

[AmiMoJo]

For Google the web is the platform. That's why they built Chrome in the first place, to make websites and web apps work as well as native ones. So in a sense it really is an OS.

Re:

[gweihir]

Indeed. In comparison to Microsoft, Google and others have actually managed to create a real cross-platform "OS wrapper". With WASM and JIT compilers, code in a browser can get something like 90% native performance (or better) these days.

Re:

[ArmoredDragon]

I wouldn't say 90%. Even WASM has to run within the DOM itself, which is also why it can't do anything that javascript can't already do. You're still pretty far removed from the metal, even if you compiled from say Rust, which is otherwise considered to be close to the metal.

Re:

[gweihir]

Software cannot realistically be bug-free and some bugs will be security bugs (the traditional estimate is 1 in 1000). However, software can be redundant enough in both functionality and security that a single security bug in a specific functionality does _not_ lead to an exploitable issue and hence there is time to patch things. That requires care and a lot of experience and skill though and not many coders have what it takes. Also, this slows things down and makes code creation more expensive. Hence it is

Re:

[bill_mcgonigle]

> Shall we "shrink" the browsers?

No, but it's time to adopt the privilege separation of Qubes/Whonix widely.

That is a normal release

[Carewolf]

They happened every other week. There is nothing special about it, unless Google warns about some of the issues being used in the wild, or mark them "Critical".

Security Through Obscurity

[NoMoreACs]

It's nice to see that Chrome's Development Team sucks so bad that a ham-fisted attempt at mitigating damage through the "I'm not gonna tell you!" Method is the best they could do.

They should have at least released some complicated bullshit smokescreen "explanation" to throw off the bad-guys during the patch rollout; rather than making it even more of a "game" for them...