Connect with us

Hi, what are you looking for?



Chrome 88 Drops Flash, Patches Critical Vulnerability

Google has released Chrome 88 to the stable channel with several security improvements inside, including patches for 36 vulnerabilities, one of which is rated critical severity, and dropped support for Adobe Flash.

Google has released Chrome 88 to the stable channel with several security improvements inside, including patches for 36 vulnerabilities, one of which is rated critical severity, and dropped support for Adobe Flash.

The removal of Flash support isn’t surprising, considering that the software reached end-of-life on December 31, 2020, and Adobe started blocking Flash content last week.

Chrome 88 also arrived with improved password protections, including a check that helps users identify weak passwords and immediately act upon the issue, to ensure better protection of their accounts.

Starting with the new browser release, password management is even easier in the Chrome settings on desktop and iOS. Chrome was already prompting users to update their saved passwords at login, and now updating multiple usernames and passwords has been simplified, the Internet search giant says.

The new browser iteration arrives with patches for a total of 36 vulnerabilities, 26 of which were reported by external researchers. The flaws can be exploited if the user visits or is redirected to a specially crafted webpage.

The most important of these is CVE-2021-21117, an insufficient policy enforcement issue in Cryptohome that was rated critical severity. Exploitation of the bug could result in arbitrary code execution in the context of the browser, the Multi-State Information Sharing and Analysis Center (MS-ISAC) notes in an advisory.

The issue was reported by Rory McNamara, who received a $30,000 bug bounty reward for the discovery.

Advertisement. Scroll to continue reading.

A total of nine vulnerabilities rated high severity were reported by external researchers, with use-after-free being the most frequent bug type (six of the vulnerabilities). Two high-risk insufficient data validation flaws and one insufficient policy enforcement were also addressed.

Six of the ten medium-severity flaws reported externally were insufficient policy enforcement bugs, accompanied by two inappropriate implementations, one heap buffer overflow, and one incorrect security UI issue.

Chrome 88 also addresses six low-severity vulnerabilities reported by external researchers.

Google says it paid more than $80,000 in bug bounties to the reporting researchers, but the company hasn’t disclosed all of the reward amounts yet.

The latest stable version of Chrome is 88.0.4324.96 and is currently rolling out to Windows, Mac and Linux users.

Related: Chrome, Edge and Firefox May Leak Information on Installed Apps

Related: Chrome Update Patches Actively Exploited FreeType Vulnerability

Related: Google Patches Actively Exploited Chrome Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.