Another Chrome zero-day, this time on Android – check your version!

Two weeks ago, the big “zero-day” news concerned a bug in Chrome.

We advised everyone to look for a Chrome or Chromium version number ending in .111, given that the previous mainstream version turned out to include a buffer overflow bug that was already known to cybercriminals.

Loosely speaking, if the crooks get there first and start exploiting a bug before a patch is available, that’s known as a zero-day hole.

The name comes from the early days of software piracy, when game hackers took brand new product releases and competed to see who could “crack” them first.

As you can imagine, in the days before widespread internet access made free games with a subscription-based online component viable, games vendors often resorted to abstruse and complex technical tricks to inhibit unlawful duplication of their software.

Nevertheless, top crackers would often unravel even the most ornery software protection code in a few days, and the lower the number of days before the crack came out, the bigger the bragging rights in underground forums.

The ultimate sort of crack – the gold-medal-with-a-laurel-wreath version – was one that came out with a zero-day delay (more coolly called an 0-day, with 0 pronounced as “oh”, not “zero”), where the game and its revenue-busting crack appeared on the very same day.

And “zero-day” is a term that has stuck, with the word now denoting a period of zero days during which even the most scrupulous sysadmin could have patched proactively – whether the crooks have known about the bug for years, months, weeks or days.

Well, the bad news is that there’s another vital update to Chrome, which means that users on Windows, Linux and Mac should now be looking for a version number of 86.0.4240.183, not for 86.0.4240.111.

According to Google, there are seven CVE-numbered high severity vulnerabilities fixed this time, one of which (CVE-2020-16009) is a zero-day bug that’s already being exploited by attackers.

Worse on Android

On Android, things are worse, and the version you need is 86.0.4240.185, because the Android patches include a fix for an additional bug, dubbed CVE-2020-16010, that is apparently unique to the Android version of Chrome…

…and as Google once again drily notes, without any detail or explanation, “[we are] aware of reports that an exploit for CVE-2020-16010 exists in the wild.

In short: Chrome for Android has a zero-day hole that crooks are already abusing, so you need to patch.

We don’t know how the crooks are abusing this bug, and we don’t know where it’s happening – if Google knows, it isn’t saying – so all we can advise is, “Get the update as soon as you can.”

As often happens, given the fragmented state of the Android ecosystem, updates often arrive at different times and in different ways depending on what device you bought, from which manufacturer, with which vendor’s name on it, and possibly even which mobile network it’s connected to.

So, as usual, despite what sounds like a serious problem in the standard Android browser, Google can offer little more by way of consolation than its usual disclaimer that the new version will “become available on Google Play over the next few weeks.

Check early, check often – and get the patch as early as possible.

What to do?

  • On Windows, Linux and Mac, look for version 86.0.4240.183. (Or later, depending on when you are reading this.)
  • On Android, look for version 86.0.4240.185.

The burning question, of course, if Google Play is still showing an earlier version for your device than the number given above, is “What then?”

As we noted above, Google has implied that this update may take weeks to reach all devices, and some old devices may not be getting updates anyway, in which case there isn’t a lot you can do but to live without the update until it arrives, or get a new phone that gets prompt patches.

If you are stuck without a Chrome update, you could consider switching to an alternative Android browser, albeit temporarily.

Look either for one that’s based on different software underpinnings, such as Firefox, or for one based on the Chromium codebase that is sufficiently different to Chrome that (so far as you can tell) the CVE-2020-16010 bug is not replicated in it.

You can switch your default browser using Settings > Set as default browser (Firefox, perhaps unsuprisingly, has detailed instructions on how to switch for various Android versions).

Note that on Google Android builds, Chrome is supplied with the operating system, in much the same way that Safari is part of iOS on Apple iPhones, and therefore can’t be uninstalled.

You can disable Chrome temporarily – or “turn it off so that it won’t show on the list of apps on your device”, in Google’s words – via the Settings > Apps & notifications option.