Security Experts:

Chrome 88 Drops Flash, Patches Critical Vulnerability

Google has released Chrome 88 to the stable channel with several security improvements inside, including patches for 36 vulnerabilities, one of which is rated critical severity, and dropped support for Adobe Flash.

The removal of Flash support isn’t surprising, considering that the software reached end-of-life on December 31, 2020, and Adobe started blocking Flash content last week.

Chrome 88 also arrived with improved password protections, including a check that helps users identify weak passwords and immediately act upon the issue, to ensure better protection of their accounts.

Starting with the new browser release, password management is even easier in the Chrome settings on desktop and iOS. Chrome was already prompting users to update their saved passwords at login, and now updating multiple usernames and passwords has been simplified, the Internet search giant says.

The new browser iteration arrives with patches for a total of 36 vulnerabilities, 26 of which were reported by external researchers. The flaws can be exploited if the user visits or is redirected to a specially crafted webpage.

The most important of these is CVE-2021-21117, an insufficient policy enforcement issue in Cryptohome that was rated critical severity. Exploitation of the bug could result in arbitrary code execution in the context of the browser, the Multi-State Information Sharing and Analysis Center (MS-ISAC) notes in an advisory.

The issue was reported by Rory McNamara, who received a $30,000 bug bounty reward for the discovery.

A total of nine vulnerabilities rated high severity were reported by external researchers, with use-after-free being the most frequent bug type (six of the vulnerabilities). Two high-risk insufficient data validation flaws and one insufficient policy enforcement were also addressed.

Six of the ten medium-severity flaws reported externally were insufficient policy enforcement bugs, accompanied by two inappropriate implementations, one heap buffer overflow, and one incorrect security UI issue.

Chrome 88 also addresses six low-severity vulnerabilities reported by external researchers.

Google says it paid more than $80,000 in bug bounties to the reporting researchers, but the company hasn’t disclosed all of the reward amounts yet.

The latest stable version of Chrome is 88.0.4324.96 and is currently rolling out to Windows, Mac and Linux users.

Related: Chrome, Edge and Firefox May Leak Information on Installed Apps

Related: Chrome Update Patches Actively Exploited FreeType Vulnerability

Related: Google Patches Actively Exploited Chrome Vulnerabilities

view counter