Governance & Risk Management , IT Risk Management , Patch Management

Google to Patch 8 Chrome Flaws, Including a Zero-Day

Company Also Plans to Upgrade All Page Loads to HTTPS
Google to Patch 8 Chrome Flaws, Including a Zero-Day

Google will soon release a security update to address eight vulnerabilities in its Chrome browser, including a high-severity zero-day flaw that's being exploited in the wild.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

Google also plans to offer "HTTPS-First Mode," which is intended to upgrade all Chrome page loads to HTTPS and display a full-page warning before loading sites that don’t support it.

The Chrome 91.0.4472.164 security update addressing the eight flaws will be issued "over the coming days/weeks" for browsers running on Windows, Mac and Linux devices, Google says in a blog post.

"Google is aware of reports that an exploit for CVE-2021-30563 exists in the wild," the company says, referring to the zero-day. The vulnerability was reported anonymously on July 12.

Google did not immediately respond to Information Security Media Group's request for comment on the nature of the flaws and the risks they pose.

In addition to the zero-day, the Chrome update will address these flaws: CVE-2021-30559, CVE-2021-30541, CVE-2021-30560, CVE-2021-30564, CVE-2021-30561 and CVE-2021-30562.

Although the blog post says eight issues are addressed, it only lists fixes for seven flaws identified by external researchers. Google did not respond to ISMG's request for further details about the eighth flaw.

The announcement of the upcoming Chrome update comes months after the technology giant patched another zero-day vulnerability in Chrome.

Bid for Safer Browsing

Google is also preparing to update the Chrome browser with a protocol designed to upgrade all page loads to HTTPS, making internet browsing more secure, according to a separate blog post from the company.

The HTTPS-First Mode, scheduled for release Sept. 21 with version M94, will show a full-page warning for sites that don’t support HTTPS, it says.

"When a browser connects to websites over HTTPS (vs. HTTP), eavesdroppers and attackers on the network can't intercept or alter the data that's shared over that connection (including personal information, or even the page itself). This level of privacy and security is vital for the web ecosystem," the blog says.

The company says it also will reexamine the use of the lock icon in the URL bar of its browser.

Often users associate the lock icon with a site being trustworthy, when, in fact, it's only the connection that's secure, the blog post says.

"In a recent study, we found that only 11% of participants could correctly identify the meaning of the lock icon. To try and reduce this confusion, Chrome will run an experiment in M93 that replaces the lock in the address bar with a more neutral entry point to page info," the blog says.

"Importantly, a 'not secure' indicator will continue to show on sites without HTTPS support, and the experiment includes an enterprise policy in case organizations want to opt out. In all cases, we'll provide advance notice if we decide to move ahead with a full launch," Google says.

In November 2020, Mozilla introduced an HTTPS-Only mode in the Firefox 83 version of its browser.

About the Author

Rashmi Ramesh

Rashmi Ramesh

Assistant Editor, Global News Desk, ISMG

Ramesh has seven years of experience writing and editing stories on finance, enterprise and consumer technology, and diversity and inclusion. She has previously worked at formerly News Corp-owned TechCircle, business daily The Economic Times and The New Indian Express.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.