Chrome is the keys to your castle, and it just shipped 382 fixes. Update it.

· Carl Heaton · Security Commentary

For most businesses the browser is the keys to the castle. Your team is signed into email, online banking, the accounting system, the CRM, and the cloud console, all in the same window, all day. The proof that you are logged in, the session token, sits inside the browser. So when the makers of Chrome quietly ship a very large security update, it is worth a minute of your attention, because that one application is where your whole business actually lives.

On 30 June, Google released Chrome 150, and it fixes 382 security flaws. Fifteen of them are rated critical, the top severity Google uses. This is a consider-this-a-public-service-announcement filing: there is no emergency yet, and that is exactly why it is the right moment to act.

What these bugs actually let an attacker do

Two kinds of flaw in this batch are worth understanding in plain terms, because the names are opaque and the risk is not.

A sandbox escape is the one that matters most for you. Chrome runs each web page inside a sealed box, so that a dodgy page can misbehave inside its own tab but cannot reach the rest of your computer. A sandbox escape breaks that seal. A booby-trapped page, reached by an accidental click or a bad link, gets to step out of the tab and reach the machine itself, and everything the browser holds. Several fixes in this update close exactly that kind of hole.

Remote code execution is the other. It means a crafted web page can run the attacker's own instructions on the machine, without anyone installing anything or clicking "yes" to a prompt. Visiting the page is enough.

Put the two together with what the browser is holding, and the stake is clear. The danger is not a crashed tab. It is a leaked login. A single mistimed visit to the wrong page could hand over the session that keeps someone signed into your email or your bank, and a session token does not always ask for the password again.

The good news, and why it is a deadline not a reprieve

Here is the part that decides the timing. As far as anyone has reported, none of these flaws is being exploited in the wild yet, and there is no public proof of concept, meaning no working attack code has been published for others to copy. You are ahead of the attackers, for now.

That lead does not last. Once an update ships, the fix itself is a map. Skilled attackers study what changed, work backwards to the bug, and build an exploit, sometimes within days. The quiet window between "patched" and "being attacked" is the whole point of moving now. Waiting throws away the only advantage you have.

Google is rolling this out "over the coming days and weeks," in its usual staged way, so your machines will not all get it at once by default. That is the gap to close by hand.

What to do this week

  • Update Chrome to version 150 and restart the browser. You want 150.0.7871.46 or later on Windows, Mac, and Linux, and 150.0.7871.63 on Android. On most machines the update is already downloaded and is only waiting for a restart to take effect, so a full close and reopen of Chrome may be all it takes. Check via the menu, then Help, then About Google Chrome.
  • Do not wait for the automatic rollout. If you manage a fleet of machines, push the update rather than trusting Google's staged release to reach everyone in time. This is the difference between patched by Friday and patched by whenever.
  • Ask the harder question underneath it. Do you actually know which version of Chrome each machine in your business is running right now? For most SMEs the honest answer is no. That blind spot is the real problem this update points at, and it is worth closing while you are here.

The same reasoning applies to anything built on Chrome's engine, including Microsoft Edge, Brave, and Opera. When Chrome patches, they follow, so update those too.

The specific flaws, if you want to check

If you want to look under the bonnet, these are the 10 sandbox-escape and remote code execution fixes from this batch, each on its own page with the severity score and a plain-English summary. Full disclosure: StackFlag is one of ours, a free tool we built to track exactly this kind of thing, so the links do double duty.

How Steelwise can help

Knowing what you have, what version it is on, and how fast you could push a fix across every machine is exactly the kind of review we do with clients, before an incident rather than during one. Get in touch.

Further reading

← All filings