Chrome 96 rolls out with a slew of security updates

We’re only two weeks away from the landmark release of Chrome OS 96 that will bring the Chrome browser and the Chrome operating system back into parity of release schedules. After the release of Chrome OS 96 in late November, the browser and the OS will enjoy a 4-week release cycle with the desktop browser releasing roughly two days prior to Chrome OS. For now, we have a two-week gap between the two pieces of software, and this week, version 96 of the Chrome Desktop Browser has landed with a slew of security updates and patches. Check out the eighteen security fixes and who reported them in the list below.

• [$7500][1263620] High CVE-2021-38008: Use after free in media. Marcin Towalski of Cisco Talos on 2021-10-26
• [$2000][1260649] High CVE-2021-38009: Inappropriate implementation in cache. Luan Herrera (@lbherrera_) on 2021-10-16
• [$TBD][1240593] High CVE-2021-38006: Use after free in storage foundation. Sergei Glazunov of Google Project Zero on 2021-08-17
• [$TBD][1254189] High CVE-2021-38007: Type Confusion in V8. Polaris Feng and SGFvamll at Singular Security Lab on 2021-09-29
• [$TBD][1241091] High CVE-2021-38005: Use after free in loader. Sergei Glazunov of Google Project Zero on 2021-08-18
• [$TBD][1264477] High CVE-2021-38010: Inappropriate implementation in service workers. Sergei Glazunov of Google Project Zero on 2021-10-28
• [$TBD][1268274] High CVE-2021-38011: Use after free in storage foundation. Sergei Glazunov of Google Project Zero on 2021-11-09
• [$15000][1262791] Medium CVE-2021-38012: Type Confusion in V8. Yonghwi Jin (@jinmo123) on 2021-10-24
• [$10000][1242392] Medium CVE-2021-38013: Heap buffer overflow in fingerprint recognition. raven (@raid_akame) on 2021-08-23
• [$5000][1248567] Medium CVE-2021-38014: Out of bounds write in Swiftshader. Atte Kettunen of OUSPG on 2021-09-10
• [$3000][957553] Medium CVE-2021-38015: Inappropriate implementation in input. David Erceg on 2019-04-29
• [$3000][1244289] Medium CVE-2021-38016: Insufficient policy enforcement in background fetch. Maurice Dauer  on 2021-08-28
• [$2500][1256822] Medium CVE-2021-38017: Insufficient policy enforcement in iframe sandbox. NDevTK on 2021-10-05
• [$2000][1197889] Medium CVE-2021-38018: Inappropriate implementation in navigation. Alesandro Ortiz on 2021-04-11
• [$1000][1251179] Medium CVE-2021-38019: Insufficient policy enforcement in CORS. Maurice Dauer on 2021-09-20
• [$1000][1259694] Medium CVE-2021-38020: Insufficient policy enforcement in contacts picker. Luan Herrera (@lbherrera_) on 2021-10-13
• [$500][1233375] Medium CVE-2021-38021: Inappropriate implementation in referrer. Prakash (@1lastBr3ath) and Jun Kokatsu on 2021-07-27
• [$TBD][1248862] Low CVE-2021-38022: Inappropriate implementation in WebAuthentication. Michal Kepkowski on 2021-09-13

With over $53,000 in bug bounties paid out and more to be determined, it looks like the latest version of Chrome is focused heavily on security with little in the way of feature updates. The changelog for this update is massive and I expect that there are a lot of “under the hood” changes that may not present themselves visibly to the end-user but we’ll be digging through the changes to see what’s new and let you know what to look for in Chrome 96. Needless to say, the security updates alone are worth making sure your Chrome browser is up to date. Chrome 96 will be rolling out to users worldwide over the next few days and you can check to make sure you’re on the latest version by heading to the three-dot menu at the top-right of Chrome and selecting “Help” and “About Google Chrome.”

We can expect the update to Chrome OS 96 on or around November 30th and when that happens, we will also witness the launch of the first official long-term support(LTS) channel for Chrome OS. This version gives managed users access to a more-stable long-term release of Chrome OS that receives a major update every six months with security updates every two weeks. You can learn more about the new LTS updates here. Don’t forget to check back as we bring you updates on what’s new in Chrome 96 and the upcoming release of Chrome OS 96.