back to article Put down the cat, coffee, beer pint, martini, whatever you're holding, and make sure you've updated Chrome (unless you enjoy being hacked)

If Google Chrome is bugging you to update it right now, please stop what you're doing, and get that upgrade. The latest version fixes a security vulnerability (CVE-2019-5786) that can be potentially exploited by malicious webpages to hijack the software, and run spyware, ransomware, and other nasties on your device or machine …

  1. Blockchain commentard Silver badge

    Wondered why my Chromebook suddenly wanted to update itself. Now to do all my Windows PC's.

    The big question though is, when Edge takes Chrome as it's engine, will Microsoft shove out an update out of sync?

    1. sabroni Silver badge

      This is indeed a story worth diverting to ms at every opportunity.

      Just like Google just did with their "look! Windows bug!" announcement.

    2. phuzz Silver badge
      Trollface

      The big question though is, when Edge takes Chrome as it's engine, will Microsoft shove out an update out of sync?

      I don't think either of Edge's users will be affected tbh

      1. katrinab Silver badge
        Windows

        When Edge takes Chrome as its engine, why would you want to download a Google wrapper for it?

        1. LDS Silver badge
          Devil

          Depends only on who you would like to send your browsing habits to.

          1. Roland6 Silver badge

            >Depends only on who you would like to send your browsing habits to.

            Then in the interests of balance, you should include the Yandex browser on your list...

  2. anthonyhegedus Silver badge

    It’s hard to persuade some of our customers to upgrade. To them it’s either a nuisance, something to be forgotten or even worse they don’t like updating because it causes problems, or at least they think it does.

    At least with chrome you just have to restart it.

    1. katrinab Silver badge

      I had to delete my user profile because it would only work in Guest mode.

    2. Smartypantz

      And your customers are correct. "upgrades", which should always be in quotes these days, especially from the ilk of creeps like Google and Microsoft, mostly are about benefits for the supplier, and are, more often than not, detrimental to the interests of the user. A. K. A. antifeatures. How do the end users distinguish? They can not.

    3. ben kendim

      There are very valid reasons no not upgrade Chrome...

      If you are running flash, especially in full screen kiosk mode, it is not feasible to upgrade Chrome.

      Because Google took out a user's ability to always allow flash from specific sites using the chrome://flags/#enable-ephemeral-flash-permission flag in v. 69, anyone using flash in an unattended kiosk needs to use an earlier version. (Never mind that Google doesn't even have an ftp site for old versions, you need to get them from who.knows.what.malware.lies.here.com.)

      See https://productforums.google.com/forum/#!msg/chrome/7y0gbgs06L8/3ehByJReGQAJ or many other posts from aggravated users.

      So much for doing no evil. I wish I could take back the many thousands of $ I gave Google, buying many Nexus'es, Pixels, storage, Fi subscriptions, etc...

    4. Gene Cash Silver badge

      I haven't been able to upgrade from Firefox 43... Mozilla removed several important features in 44.

      Even Pale Moon followed suite, so I'm stuck on 27.6.2 there too.

  3. Esme

    Just Chrome, or is Chromium affected as well?

    1. Martin Marv

      Chromium is affected as well, yes

      1. Esme

        @Martin Marv - thank you, much appreciated!

      2. cosmogoblin

        Can anybody help?

        I'm running Mint 17.3 (Cinnamon, 64-bit). The repos have Chromium 65.0.3325.181, which dates from March 2018; Chromium's latest version is apparently 74.

        Given that I can't update Mint on this laptop (nVidia's fault), is there a relatively simple way to force an update while keeping my browser settings?

        1. Harry Stottle

          No Mint expertise

          not even a Mint user but can't you just download a full installation and run that? On windows, that didn't used to overwrite my settings.

          to be safe, though, you probably ought to back up your settings. This page will give you clue what to look for and where (though it's windoze centric so you'll have to extrapolate)

          'course, haven't tried it for a few years, since I switched to SRWare Iron (privacy protection Chrome fork)

          My question to the panel is "is Iron equally at risk?" but I think the "Chromium" question above might have answered that...

          good luck

        2. UKHobo

          The problem is discussed at length here: https://forums.linuxmint.com/viewtopic.php?f=61&t=220892

          There's a whole lot of "don't upgrade your O/S if you don't need to" talk around linux mint but if you're a die hard chromium user that depends on the official repos for your installed packages, that is one reason to upgrade because there's no support for chromium updates in the 17.3 repos any more. It is supported in 18.x +

          Another option is you could attempt to build it yourself and stick with 17.3..

        3. aqk
          Linux

          Mint? Ubuntu?

          What! Why aren't you using the supplied Firefox as recommended?

          Problem solved.

          1. Claverhouse Bronze badge

            Re: Mint? Ubuntu?

            Probably because all Firefoxes since Australis are so, so, utterly fugly.

            Seriously, minimalism makes me want to vomit.

            .

            .

            And as regards the article, it's like Microsoft: anyone who uses Chrome deserves all they get.

  4. ds6 Bronze badge
    Coat

    Use Links...

    ...Never get hacked.

    Join the revolution (that happened 20 years ago)

    1. MiguelC Silver badge

      Get off my lawn with your modern browsers and all that!

      Go real old school and use Lynx instead

      1. Anonymous Coward
        Anonymous Coward

        Re: Get off my lawn with your modern browsers and all that!

        I prefer to telnet to port 80 and read the markup myself.

        1. Wilco

          Re: Get off my lawn with your modern browsers and all that!

          telnet? Luxury. I prefer to handcraft a tcp/ip and http protocol analyser stack in x86 assembly and pipe the output through od -o to read the webpage in octal

          1. Alister Silver badge

            Re: Get off my lawn with your modern browsers and all that!

            tcp/ip? http?

            I just use nano-magnets to affect the flow of electrons in a Cat5 cable so that the correct signals are sent over the internet... Simples...

            1. Paul Kinsler

              Re: I just use nano-magnets to ...

              I did actually once see a guy flip manual switches on (a thing plugged into) a serial line to see if it was still working....

            2. Wilseus

              Re: Get off my lawn with your modern browsers and all that!

              Well, we 'ad it tough...

          2. Smartypantz

            Re: Get off my lawn with your modern browsers and all that!

            Good for you! Enjoy it while you can! Because it is only a matter of time before the last of the open protocols (mainly HTTP and SMTP are left) get s killed of by GAFAM.

        2. katrinab Silver badge
          Trollface

          Re: Get off my lawn with your modern browsers and all that!

          Mostly it tells you that you will find what you are looking for on port 443

    2. Anonymous Coward
      Anonymous Coward

      Re: Use Links...

      Ironically, clicking the 'Products' or 'About' links on the Links website produces 404 error pages. Doesn't inspire much confidence.

  5. bigphil9009

    Double standards?

    It seems like Google are keeping schtum about their own vulnerability until sufficient users have patched, yet are trumpeting MS’s vuln from the rooftops - this seems like double standards to me, or am I missing something?

    1. DougS Silver badge

      Re: Double standards?

      Of course it is double standards. They release info about others' vulnerabilities if they can't meet the 90 day deadline, but I'm quite certain that if they need longer than 90 days to fix their own issues they won't do similar.

      1. BebopWeBop Silver badge
        Trollface

        Re: Double standards?

        While not defending Googles behaviour, I suspect that is the same with both Apple and Microsoft, Oracle and just about any software company (although I am aware of some honourable exceptions, even those who have not been publicly warned)

        1. DougS Silver badge

          Re: Double standards?

          Except that Apple, Microsoft, Oracle et al don't have a policy that if they find an exploit in someone else's software they'll make the details public if it doesn't get fixed in an arbitrary 90 day limit that doesn't account for some problems being more difficult to fix etc. Only Google does, which is why they deserve special scorn here.

          1. doublelayer Silver badge

            Re: Double standards?

            I'm usually in favor of some schedule of release if the bug is not fixed in a reasonable amount of time, but that reasonable amount of time has to be calculated separately for each new bug and take into account updates by the company involved. That release only helps if it encourages a company to work on fixing the bug when they otherwise would not, not as a stick that really does not always provide the same benefit.

  6. Marketing Hack Silver badge

    But..but...but...

    What if I am reading El Reg when it encourages me to stop what I am doing and upgrade my browser? One of life's great conundrums...

  7. Conundrum1885

    Chrome

    Incidentally noticed that the previous version stopped working on some sites that work fine on Firefox.

    Have yet to test it but looks OK so far with webmail.

    Note: some Chromebooks notably the R11 do actually tell you that the OS needs updating.

    1. Someone Else Silver badge

      Re: Chrome

      The update also hosed up some of the settings in ScriptSafe. Minor annoyance, but be aware...

  8. sabroni Silver badge
    Facepalm

    won't it be great

    When chrome's the only browser?

    1. Anonymous Coward
      Anonymous Coward

      Re: won't it be great

      Don't let this happen. We need browser diversity. We don't need another IE6. Support Firefox.

      1. BebopWeBop Silver badge

        Re: won't it be great

        I suspect he was joking (I upvoted on that basis anyway)

      2. Gene Cash Silver badge

        Re: won't it be great

        I stopped supporting Firefox when Mozilla went on a rampage of removing features and functionality.

        I recommend against it for anyone who asks. As a Linux user, I'd rather see them using IE.

        1. ds6 Bronze badge

          Re: won't it be great

          FF is still powerful, they just replaced old, aging implementations with better ones. Whether or not their timing was good (it wasn't) or the replacements were production-ready (they weren't) is... Well, it's not up for debate at all. They rushed WebExtensions and such new technologies out the door even though they weren't ready or nearly as robust as what they replaced. But userChrome.js, browser-level JS execution, unique dialogs, modifying the look&feel of the browser... It's all still possible in different ways, while the base Firefox experience is now faster than ever.

          I hated Mozilla for what they did too, but I found Chrome (I used Iridium) to be far less user-customizable than even new Firefox is. I ended up crawling back despite all pretenses, and now my browsing experience is actually better than it was before, both as a developer and a user.

          Do I like the current state of Mozilla? No, but their product is still workable, and unlike Chrom[e,ium] or even Iridium, you can still lock the browser down, for now at least.

          I don't know how long it will stay workable, since Mozilla seems hell-bent on deprecating XUL and removing these customization options, but we shall see.

          ...In the end I'll probably migrate over to Luakit or similar full-time.There are better alternatives than IE!

  9. Pascal Monett Silver badge

    So, viewing an ad can be bad ?

    Isn't ads that thing that Google is doing it's best to ensure we see, ahem, for our "protection" ?

    Well gee, it looks like ad blockers are not so useless after all, eh Tim ?

  10. Anonymous Coward
    Anonymous Coward

    Are people still using google after all those miss steps by google?

    You mean people are still using Chrome after all of those privacy violations? You mean they are still using Chrome after they forced you to login to your google account when using Chrome? You mean they are still using it after they tried to ban ad blockers? I am surprised they want to hand over all of their browsing habits to google.

    1. I ain't Spartacus Gold badge

      Re: Are people still using google after all those miss steps by google?

      You're right. I've dumped Chrome right out of my life. I now use Facebook's new browser, Slurp. I'm in the beta program and it's great! I only had to fill out a 350 page contract, and sign in blood on every page - but it's OK as I was allowed to use the blood of my children, so it didn't hurt at all.

      Every web page I go to is now automatically linked to my Facebook timeline, so all my friends (and anyone else watching as it auto-changes your preferences to allow everyone to share the goodness) can now see what cool stuff I'm looking at and how intelligent I am.

      ...That Mister Man porn site has got so many likes...

      1. sabroni Silver badge

        Re: I now use Facebook's new browser, Slurp

        You don't need to. You just need a browser that runs JS or serves cookies and you're feeding facebook plenty of info.

        What are you suggesting? That as long as Chrome doesn't suck quite as much information as Facebook it's ok? Conflating the nosiest browser on the web with the nosiest website on the web shows a startling lack of technical understanding.

        Or is your post just Google love manifested through straw manning.....?

        1. I ain't Spartacus Gold badge

          Re: I now use Facebook's new browser, Slurp

          Or is your post just Google love manifested through straw manning.....?

          Nope. My post was attempted humour. I don't use Chrome either. Partly because of the great Google slurp, and partly because I hate the UI. The reason I put up with Firefox in it's crashy/memory leak period was the UI with actual menus - as well as the lack of Google. It's now rather fast too, and I've read accusations that Chrome sometimes does the memory-hog thing itself.

          to be fair to Google, they're as bad at slurping everyone's data and lying about it as Facebook. Well they've probably not been caught lying quite so often. They're not quite so amateur. But at least they haven't also spaffed that data to everybody who got API access - which appears to be most of the internet.

          As the Patrician says, if we must have crime, better that it be organised crime.

  11. Anonymous IV
    Thumb Up

    Chrome updated itself automatically

    If your PCs/laptops were powered on any time over the last three days (from 5 March onwards) it's highly likely that Chrome has already updated itself.

    If you need to check a bunch of them, then use

    dir "\\<pcname>\C$\Program Files\Google\Chrome\Application" /ad

    on each PC, and look for the folder named 72.0.3626.121

    Or perform the equivalent in PowerShell!

    1. Roland6 Silver badge

      Re: Chrome updated itself automatically

      Given it seems that on some PC's the update has caused issues - on one of mine it caused several extensions to fail to load and MBAM to flag possible rootkit activity, recommending a reboot, I would be tempted to fire up Chrome just to ensure any update mess is tidied up.

  12. _LC_
    Mushroom

    Don’t you love monopolies?

    Google’s engine will soon be in (almost) every browser. What could possibly go wrong?

    1. Steve Davies 3 Silver badge
      Mushroom

      Re: Google’s engine will soon be in (almost) every browser.

      That really will be the end of the world as we know it.

    2. doublelayer Silver badge

      Re: Don’t you love monopolies?

      Why, nothing of course. You see, as the market share of our wonderful rendering system increases, people are showing that they acknowledge that we provide the best, fastest, most secure, and most open engine available. We gladly extend our code to anyone, which is why we have made the Chromium™ engine completely open source and offer it to any user or company out there. We also offer all our services that are built into the Chromium™ engine and can't be removed without tearing the codebase apart to these companies, no questions asked except sometimes when they will need some API keys to distinguish them, but that's clearly a normal and justified thing to do with open source code.

      With more and more people using the engine, any potential problems such as a framework that allows extensions that users install knowingly being able to block some parts of their traffic (yes, I know, but it happened) can be fixed extremely quickly. We aren't saying that it will be free of defects, but it will be better than the other options out there because it was developed with a very Googly mindset. We'll have so much data about everything that happens that we can find any risks to users' security or privacy and fix them immediately. We confidently expect that, in the next few years, the market share of our major competitors such as Gecko and WebKit will decrease to zero as competing browsers, which we totally support by the way, realize the superiority of this engine.

      Google autocomment software, version 38.159.2581003.627501869274030461957286834

      Well, we had to do something useful with our extra programmer-hours, didn't we? Like all google services, this autocomment software is completely open source. You can use it by getting an API key from Google's developer program and calling the three functions available in that interface. That's what open source means, isn't it?

  13. tiggity Silver badge

    Lack of info

    From Google was irritating.

    No info on whether exploit can be triggered without JS (i.e. HTML / CSS only or just being served a "tweaked" file) as would be extremely useful to know in those cases where upgrade awkward to apply (e.g. where people use Gold images and have a rigid protocol on changes to it, which makes zero day issue response a massive pain)

  14. Mystic Megabyte Silver badge
    Linux

    Ubuntu 16.04

    Just ran the Software Updater at 10:00 UTC and Chromium updated to 72.0.3626.121

  15. Anonymous Coward
    Anonymous Coward

    Browser

    "72.0.3626.121 or higher (or 72.0.3626.122 or higher on ChromeOS)"

    Checked and Google Chrome is up to date

    Version 72.0.3626.121 (Official Build) (64-bit)

    I don't think there are any higher versions yet.

  16. theBatman

    Not sure I see the distinction.

    Device or machine.

    Criminals and miscreants.

    Or at least, I’m not sure that it matters.

  17. Anonymous Coward
    Anonymous Coward

    Bankers

    We're running 65.0.3325.146 here. Nothing to worry about :(

    AC for obvious reasons.

  18. Tim99 Silver badge
    Trollface

    Why worry about being hacked?

    You have already installed a rootkit: Link to previous El Reg post.

  19. Will Godfrey Silver badge
    Unhappy

    Monoculture?

    With world + dog apparently moving to the chrome engine will it be fun times ahead?

  20. Smartypantz

    You will not feel the difference

    Apparently this exploit allows "others" to:

    "run spyware, ransomware, and other nasties on your device or machine …"

    How is this a problem in a product like Google Chrome? If you use chrome, Google, and by extension, "others" run "spyware, ransomware, and other nasties on your device or machine …". because this is the whole business model! Do you not know this?

    i Guess the best analogy would be a pornstar complaining about cum-loads in the face from men she have not yet shaken hands with ;-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019