ChromeOS 106 has finally arrived

ChromeOS 106 is nearly two weeks behind schedule but with all that Google has going on at the moment, I suppose the delay can be forgiven. If you have been sitting on the sidelines, anxiously awaiting the update to version 106, I come bearing good news. As of this morning, ChromeOS 106 has begun its rollout to select devices and should arrive for most over the coming days. It appears that the majority of late-model consumer devices are ready for the update with a handful of 12th Gen and Enterprise models still holding on ChromeOS 105. This isn’t unusual as Google prefers to stagger updates to prevent any unforeseen bugs from making their way into mission-critical machines.

What’s new in ChromeOS 106

If you’re here for the features, I’m afraid that you’ve come to the wrong place. Like the browser, ChromeOS 106 is very light on new tricks but heavy on security updates. That said, there is one feature hiding in plain sight that you may want to try out if you aren’t afraid to enable a flag. Before we get to that, let’s go over the security updates, bug fixes, and patches that arrived for the OS and the browser in ChromeOS 106.

Since Google is essentially splitting the Chrome browser from ChromeOS, the security fixes have been listed separately in release notes. Here are the ChromeOS-specific bug fixes and security patches for ChromeOS 106.

• [$3000] [1343104] High CVE-2022-3201 Insufficient validation of untrusted input in DevTools. Reported by NDevTK
• [$2000] [1320139] High CVE-2022-3306 Use-after-free in Ash. Reported by eternalsakuraalpha@gmail.com
• [$3000] [1319229] High CVE-2022-3305 Use-after-free in Ash. Reported by eternalsakuraalpha@gmail.com
• [$4000] [1348415] Medium CVE-2022-3309 Use-after-free in ChromOS. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab.
• [$TBD] [1363030] Medium CVE-TBD Use-after-free in OverlayManager. Reported by wxhusst@gmail.com.
• [$5000] [1343219] Medium CVE-TBD Use-after-free in Ash. Reported by OP!.
• [$2000] [1328708] Medium CVE-2022-3314 Use-after-free in ChromeOS. Reported by Anonymous.
• [$TBD] [1303306] Medium CVE-2022-3312 Security: Locked devices. Reported by hessenhess@googlemail.com.
• [$TBD] [1314674] Medium CVE-TBD Security: Use-after-free in ARC Reported by eternalsakuraalpha@gmail.com
• [$TBD] [1318791] Low CVE-2022-3318 Use-after-free in ChromeOS. Reported by GraVity0

The Chrome browser contained even more security patches but that’s not a bad thing. Since Chrome and ChromeOS are now on a 4-week update cycle, the ongoing bug fixes equate to more security for users around the globe. The stable release of Chrome 106 for desktop contained nearly twenty bug fixes and security patches that netted bug hunters more than $50,000 in bug bounties. Here are the patches for the Chrome 106 browser.

• [$9000][1358907] High CVE-2022-3304: Use after free in CSS. Reported by Anonymous on 2022-09-01
• [$3000][1343104] High CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools. Reported by NDevTK on 2022-07-09
• [$TBD][1319229] High CVE-2022-3305: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-24
• [$TBD][1320139] High CVE-2022-3306: Use after free in Survey. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Vulnerability Research Institute on 2022-04-27
• [$TBD][1323488] High CVE-2022-3307: Use after free in Media. Reported by Anonymous Telecommunications Corp. Ltd. on 2022-05-08
• [$7500][1342722] Medium CVE-2022-3308: Insufficient policy enforcement in Developer Tools. Reported by Andrea Cappa (zi0Black) @ Shielder on 2022-07-08
• [$4000][1348415] Medium CVE-2022-3309: Use after free in Assistant. Reported by zh1x1an1221 of Ant Group Tianqiong Security Lab on 2022-07-29
• [$1000][1240065] Medium CVE-2022-3310: Insufficient policy enforcement in Custom Tabs. Reported by Ashwin Agrawal from Optus, Sydney on 2021-08-16
• [$TBD][1302813] Medium CVE-2022-3311: Use after free in Import. Reported by Samet Bekmezci @sametbekmezci on 2022-03-04
• [$TBD][1303306] Medium CVE-2022-3312: Insufficient validation of untrusted input in VPN. Reported by Andr.Ess on 2022-03-06
• [$TBD][1317904] Medium CVE-2022-3313: Incorrect security UI in Full Screen. Reported by Irvan Kurniawan (sourc7) on 2022-04-20
• [$TBD][1328708] Medium CVE-2022-3314: Use after free in Logging. Reported by Anonymous on 2022-05-24
• [$7000][1322812] Medium CVE-2022-3315: Type confusion in Blink. Reported by Anonymous on 2022-05-05
• [$5000][1333623] Low CVE-2022-3316: Insufficient validation of untrusted input in Safe Browsing. Reported by Sven Dysthe (@svn_dy) on 2022-06-07
• [$2000][1300539] Low CVE-2022-3317: Insufficient validation of untrusted input in Intents. Reported by Hafiizh on 2022-02-24
• [$TBD][1318791] Low CVE-2022-3318: Use after free in ChromeOS Notifications. Reported by GraVity0 on 2022-04-22
• [$3000][1243802]Low CVE-2022-3443:Insufficient data validation in File System API. Reported by Maciej Pulikowski and Konrad Chrząszcz on 2021-08-27
• [$1000][1208439] Low CVE-2022-3444: Insufficient data validation in File System API. Reported by Archie Midha & Vallari Sharma on 2021-05-12

To see if your Chromebook is ready to take the update to 106, simply click the status area at the bottom-right of your screen. Click the gear icon to open the settings menu and click About ChromeOS. Smash that “check for updates” button and see what you get. You can also check out this cool website that will show you what version nearly every ChromeOS device is on for every available channel. If you don’t have the update, don’t panic. It will be along in the next few days and you’ll be all up to date.

Oh, you thought I forgot that flag I mentioned? Nope, I’ve got you covered. If you frequent pages that are in another language, Google has added a neat little translation feature that works directly in the browser. Granted, Chrome already automatically translates websites into your default language but this feature comes in handy if you need to simply translate a small sample of text. To enable the feature, you’ll need to point your browser to chrome://flags and search for Desktop Partial Translate. Alternatively, you can go straight to the flag by using this URL. chrome://flags/#desktop-partial-translate

Click on the dropdown menu and set the flag to “enabled.” Now, you’ll be prompted to restart your browser. Do so and you are all set. Now, when you highlight a section of the text, you’ll get a nice addition to the popup menu that will translate it for you without having to translate the entire page. Nifty.

That’s about it for this go-round. ChromeOS 107 should be a bit more feature-rich and we have a lot of stuff to look forward to before the end of the year. Stay tuned for updates on ChromeOS gaming, new enterprise features, and of course, everything else from the world of Google. Don’t forget to sign up for our newsletter so you can stay in the loop.