Security Experts:

Connect with us

Hi, what are you looking for?



Chrome 88 Drops Flash, Patches Critical Vulnerability

Google has released Chrome 88 to the stable channel with several security improvements inside, including patches for 36 vulnerabilities, one of which is rated critical severity, and dropped support for Adobe Flash.

Google has released Chrome 88 to the stable channel with several security improvements inside, including patches for 36 vulnerabilities, one of which is rated critical severity, and dropped support for Adobe Flash.

The removal of Flash support isn’t surprising, considering that the software reached end-of-life on December 31, 2020, and Adobe started blocking Flash content last week.

Chrome 88 also arrived with improved password protections, including a check that helps users identify weak passwords and immediately act upon the issue, to ensure better protection of their accounts.

Starting with the new browser release, password management is even easier in the Chrome settings on desktop and iOS. Chrome was already prompting users to update their saved passwords at login, and now updating multiple usernames and passwords has been simplified, the Internet search giant says.

The new browser iteration arrives with patches for a total of 36 vulnerabilities, 26 of which were reported by external researchers. The flaws can be exploited if the user visits or is redirected to a specially crafted webpage.

The most important of these is CVE-2021-21117, an insufficient policy enforcement issue in Cryptohome that was rated critical severity. Exploitation of the bug could result in arbitrary code execution in the context of the browser, the Multi-State Information Sharing and Analysis Center (MS-ISAC) notes in an advisory.

The issue was reported by Rory McNamara, who received a $30,000 bug bounty reward for the discovery.

A total of nine vulnerabilities rated high severity were reported by external researchers, with use-after-free being the most frequent bug type (six of the vulnerabilities). Two high-risk insufficient data validation flaws and one insufficient policy enforcement were also addressed.

Six of the ten medium-severity flaws reported externally were insufficient policy enforcement bugs, accompanied by two inappropriate implementations, one heap buffer overflow, and one incorrect security UI issue.

Chrome 88 also addresses six low-severity vulnerabilities reported by external researchers.

Google says it paid more than $80,000 in bug bounties to the reporting researchers, but the company hasn’t disclosed all of the reward amounts yet.

The latest stable version of Chrome is 88.0.4324.96 and is currently rolling out to Windows, Mac and Linux users.

Related: Chrome, Edge and Firefox May Leak Information on Installed Apps

Related: Chrome Update Patches Actively Exploited FreeType Vulnerability

Related: Google Patches Actively Exploited Chrome Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.