The new Google Chrome web browser update to version 111 patches 40 security vulnerabilities. Several of these are classified as high risk.

Of the 40 vulnerabilities, the developers classify eight as high risk, eleven as medium risk and five as low risk. Google apparently found the remaining 16 vulnerabilities internally and does not publish a risk classification for these.

High-risk vulnerabilities fixed

Apparently the most risky vulnerability is found in the browser's Swiftshader component and is a use after free bug. The program code incorrectly accesses resources such as pointers or memory areas that have already been released, but finds an undefined status there - this can lead to a crash. Often, however, these vulnerabilities even allow the execution of smuggled malicious code. The corresponding CVE entry (CVE-2023-1213, risk classification high) explains that attackers from the network could exploit the vulnerability, a memory scrambling on the heap, by means of manipulated websites.

A type confusion vulnerability in the JavaScript engine V8 has a similar effect. Attackers could use manipulated websites to provoke heap corruption and thus possibly execute arbitrary code (CVE-2023-1214, risk high). Further short descriptions of the gaps can be found in Google's release notes.

The bug-fixed versions after updating Chrome are 111.0.5563.54 for iOS, 111.0.5563.64 for Mac and Linux and 111.0.5563.64/.65 for Windows. Extended stable release for Linux and Mac is now at level 110.0.5481.192.

Whether the version used on the computer is already up to date can be checked by clicking on the Chrome menu - which is hidden to the right of the address bar behind the symbol with three vertically stacked dots -, from there to Help - Check via Google Chrome.

The dialog shows the version currently in use, starts downloading and installing the update if necessary, and then prompts you to restart your browser.

Linux users typically need to go to their distribution's software manager to check for updated packages.

Since the vulnerabilities also affect the underlying Chromium project, web browsers based on it, such as Microsoft's Edge, should soon follow suit with updated versions.

About two weeks ago, Google had to seal ten vulnerabilities in Chrome. One of them was even considered critical.