Two weeks ago, the big “zero-day” news concerned a bug in Chrome.
We advised everyone to look for a Chrome or Chromium version number ending in .111, given that the previous mainstream version turned out to include a buffer overflow bug that was already known to cybercriminals.
Loosely speaking, if the crooks get there first and start exploiting a bug before a patch is available, that’s known as a zero-day hole.
The name comes from the early days of software piracy, when game hackers took brand new product releases and competed to see who could “crack” them first.
As you can imagine, in the days before widespread internet access made free games with a subscription-based online component viable, games vendors often resorted to abstruse and complex technical tricks to inhibit unlawful duplication of their software.
Nevertheless, top crackers would often unravel even the most ornery software protection code in a few days, and the lower the number of days before the crack came out, the bigger the bragging rights in underground forums.
The ultimate sort of crack – the gold-medal-with-a-laurel-wreath version – was one that came out with a zero-day delay (more coolly called an 0-day, with 0 pronounced as “oh”, not “zero”), where the game and its revenue-busting crack appeared on the very same day.
And “zero-day” is a term that has stuck, with the word now denoting a period of zero days during which even the most scrupulous sysadmin could have patched proactively – whether the crooks have known about the bug for years, months, weeks or days.
Well, the bad news is that there’s another vital update to Chrome, which means that users on Windows, Linux and Mac should now be looking for a version number of 86.0.4240.183, not for 86.0.4240.111.
According to Google, there are seven CVE-numbered high severity vulnerabilities fixed this time, one of which (CVE-2020-16009) is a zero-day bug that’s already being exploited by attackers.
Worse on Android
On Android, things are worse, and the version you need is 86.0.4240.185, because the Android patches include a fix for an additional bug, dubbed CVE-2020-16010, that is apparently unique to the Android version of Chrome…
…and as Google once again drily notes, without any detail or explanation, “[we are] aware of reports that an exploit for CVE-2020-16010 exists in the wild.”
In short: Chrome for Android has a zero-day hole that crooks are already abusing, so you need to patch.
We don’t know how the crooks are abusing this bug, and we don’t know where it’s happening – if Google knows, it isn’t saying – so all we can advise is, “Get the update as soon as you can.”
As often happens, given the fragmented state of the Android ecosystem, updates often arrive at different times and in different ways depending on what device you bought, from which manufacturer, with which vendor’s name on it, and possibly even which mobile network it’s connected to.
So, as usual, despite what sounds like a serious problem in the standard Android browser, Google can offer little more by way of consolation than its usual disclaimer that the new version will “become available on Google Play over the next few weeks.”
Check early, check often – and get the patch as early as possible.
What to do?
- On Windows, Linux and Mac, look for version
86.0.4240.183. (Or later, depending on when you are reading this.) - On Android, look for version
86.0.4240.185.
The burning question, of course, if Google Play is still showing an earlier version for your device than the number given above, is “What then?”
As we noted above, Google has implied that this update may take weeks to reach all devices, and some old devices may not be getting updates anyway, in which case there isn’t a lot you can do but to live without the update until it arrives, or get a new phone that gets prompt patches.
If you are stuck without a Chrome update, you could consider switching to an alternative Android browser, albeit temporarily.
Look either for one that’s based on different software underpinnings, such as Firefox, or for one based on the Chromium codebase that is sufficiently different to Chrome that (so far as you can tell) the CVE-2020-16010 bug is not replicated in it.
You can switch your default browser using Settings > Set as default browser (Firefox, perhaps unsuprisingly, has detailed instructions on how to switch for various Android versions).
Note that on Google Android builds, Chrome is supplied with the operating system, in much the same way that Safari is part of iOS on Apple iPhones, and therefore can’t be uninstalled.
You can disable Chrome temporarily – or “turn it off so that it won’t show on the list of apps on your device”, in Google’s words – via the Settings > Apps & notifications option.
Steve C#
My Chromebook said: Version 86.0.4240.112 (Official Build) (64-bit) So I am forcing an update to the Chrome OS.
Gregory Shearer
I don’t agree with the author’s statement about the play store update releases. I will agree that the Android OS ecosystem is highly fragmented given the nature of it being a hardware agnostic system, but that is also one of its strengths. However, back to the play store; I have never observed a situation in which a version available in the store is older than an installed app version. Perhaps, some users go outside the play store to install apps, which may also be available in the store, but that is their choice and need to be aware of the risks they are taking. After reading this article, I went to the play store on my phone to look up the Chrome app, and, sure enough, there was the newest release mentioned in this article for the patch, released on Nov. 2nd. I do not allow automatic updating of apps and prefer to regularly check what is in the list to be updated, and I do not chase after the latest fashionable apps either. I also run malware protection on my phone, but have never had a single malware incident.
Speaking of the Android OS, I recently purchased an Android One phone, a Nokia 5.3, because I grew tired of all the bloatware vendors put on their mobile devices. What a wonderfully clean experience. I highly recommend Android One for anyone interested in a cleaner, less cluttered, mobile experience.
Ultimately, I always look forward the these Sophos articles listed in the daily “Naked Security” emails that I receive. So, once again, thanks for the heads-up and insights about this latest bug.
Paul Ducklin
Thanks for your comment – I have edited the article to make it clearer what I meant about the Play Store version possibly being “old”.
The article now says, “The burning question, of course, if Google Play is still showing an earlier version for your device than the number given above [86.0.4240.185], is “What then?”
I didn’t mean to imply that you might go to Google Play and find that the version number there had gone *backwards* from what you already had on your phone before the update, merely that you might go to the Play Store and still not find the listed 86.0.4240.185 version ready for you.
I stand by that statement, because Google Play explicitly says, for Chrome: “Current version: depends on device. Requires Android [version]: depends on device. [Package] size: depends on device.” In other words, even if there is an update available for you in the Play Store, there’s no guarantee that you will get all the way to 86.0.4240.185 yet.
After all, Google elsewhere talks about the update becoming available “over the next few weeks,” which doesn’t sound to me as though the 86.0.4249.185 build is universally ready yet – even though your particular handset might be covered already.