Google Patches Chrome, Removes Suspect Extension

Posted on February 5, 2021 by Paul Thurrott in Google Chrome with 9 Comments

With the shift to web-based computing, it is perhaps not surprising that hackers are increasingly exploiting web browsers. And there is no browser more popular than Chrome, the latest version of which has already suffered from a zero-day attack.

“Google is aware of reports that an exploit for CVE-2021-21148 exists in the wild,” Google’s Srinivas Sista writes in a new post to the Chrome Releases blog. “We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel.”

Well, this one did: The exploit specifically targets Chrome 88, the latest stable version of the browser, forcing Google to reissue it. Those who already upgraded to Chrome 88 will be prompted to install an update, version 88.0.4324.150 for Windows, Mac, and Linux.

Google won’t disclose details of the vulnerability until “a majority of users are updated with a fix,” a courtesy it doesn’t provide to other platform makers, like Microsoft. But the vulnerability is described as a heap buffer overflow in Chrome’s V8 JavaScript engine.

Separately, Google has removed the Chrome extension The Great Suspender from its Chrome Web Store and is remotely uninstalling it from users’ computers because it’s been found to contain malware. This extension works like the new sleeping tabs feature in Edge 88; it suspended idle Chrome tabs so that the browser would suck up fewer resources. (The Great Suspender was also removed from the Edge Add-Ons site, as well, though it is of course now superfluous.)

Obviously, Chrome users should upgrade as soon as possible to the latest version. But if you’re concerned at all about Chrome, and you should be, since it tracks all your activities and sells that information to advertisers, this is a great time to upgrade to Microsoft Edge. Just saying.

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (12)

12 responses to “Google Patches Chrome, Removes Suspect Extension”

  1. Avatar

    yehuda

    As always @paul, love the snark paragraph to close it out and bring it home! :)

  2. Avatar

    wright_is

    Edge got a re-released update as well. Given the bug was in the V8 engine, it will affect Edge, Opera, Brave, Vivaldi and all other Chromium based browsers.

    I'll be checking Brave on my home PC, when I get back from work.

    This is a great time to upgrade to Firefox, which doesn't use the same JavaScript and rendering engines. ;-)

    • Avatar

      Paul Thurrott

      This is probably the worst time ever to move to Firefox, which is a downgrade. :)
      • Avatar

        compunut

        In reply to paul-thurrott:


        This is very subjective. I am replying to this in Firefox and have no plans to switch away (although Edge would currently be my backup option). Firefox may not do some things that other browsers do like PWAs, but it does other things not available on other browsers that I really care about.


        One -- it has extensions that handle vertical tabs. I know Edge is supposed to have this 'any day now', but it isn't there yet in stable.


        Two -- a 1st party plugin called Multi-Account Containers (and a companion 1st party extension for Facebook specifically) that allows me to choose a different profile for every tab. I have a tab open to my work Microsoft Outlook and another tab open to my personal Microsoft Outlook. This may be available for Edge, but wasn't the last time I looked.


        It also does a great job of block trackers out of the box, although I have extensions installed that go even farther (uBlock Origin).


        I understand that PWAs are important to some people, but I'm not aware of any other features that are missing from Firefox other than that.


        Just my two cents...

        • Avatar

          Paul Thurrott

          Feature? It's not Chromium compatible and Mozilla/Firefox is dying as we speak.
          • Avatar

            wright_is

            In reply to paul-thurrott:

            But this situation shows exactly why a monoculture is a bad idea. All browsers, except Firefox and Safari are affected by this bug.

            Doing away with the different rendering engines and JS interpreters means that the whole Web is more vulnerable to attack.

            One good zero day and you have the whole world at your mercy. If there is some variety, some will be unaffected and you have an alternative until your preferred browser is patched.

          • Avatar

            compunut

            In reply to paul-thurrott:


            I thought competition was good? Isn't the lack of a good competitor what allowed IE to make a mess of everything for years not so long ago?

  3. Avatar

    dftf

    It also makes me wonder how-secure some of the other rivals are...


    After an update for Google Chrome on Android, it can often be a week-or-more before Brave or Vivaldi update to the same version of Chromium, which means you could be vulnerable on them whereas you wouldn't be on Google Chrome...

  4. Avatar

    mikegalos

    Of course bad extensions, like bad apps (as opposed to applications) are what curated private stores are supposed to prevent.

  5. Avatar

    navarac

    Upgrading to Edge is not necessarily great. I use just one Windows machine, the rest are Linux or Chromebooks. Makes sense to use Chrome across the board, which I have been doing since 2008 without issue. I feel that Microsoft are also on the advert bandwagon anyway. As for Firefox, I reckon it is about dead in the water. Better to look at Brave or Vivaldi.

Leave a Reply