Google Chrome 99

Just to emphasize the point, anyone using Google Chrome should should be running at least 99.0.4844.84. Check the last digits carefully because “.82” and “.83” were released a few days before and do NOT have the security fix needed for this zero-day vulnerability…

Thanks for that detail—I was waffling about including the full version number in the text, and your post convinced me that I should have. Now updated…

Never an easy choice, as we risk entering into “trauma fatigue” with so many “critical updates”. When I noticed the quick succession of +1 version updates I thought it was worth highlighting.

Don’t get me started on Adobe’s updates and how their software sometimes thinks it is up to date and is not (hello, Acrobat Pro on CC), or update files having the incorrect version number because someone didn’t run through the checklist before pushing it live.

Indeed! We almost never report on Chrome (or other browser) updates because there are so many and they mostly just install on their own. But when there’s a zero-day like this that affects all other Chromium browsers too, it seemed worth making an exception.

Thank you for TidBits, Adam! Just a note for users of 1Password 6: any update of Chrome beyond version 99.0.4844.51 breaks the Chrome 1Password browser extension so it can no longer connect with you locally installed (standalone) 1Password 6 app. The alternative is to buy a 1Password 7 subscription and have your password data stored online. If your subscription lapses, you can’t modify the online data (e.g., add or change a stored password, etc.). Personally, I’m not comfortable with having my passwords stored in a cloud. It seems ironic that one must choose between locally stored and IMO more secure password maintenance (as well as not paying a subscription fee or have your password data held hostage) and having a Web browser with security updates like this one.

One other ‘effect’ with Chrome ‘99.’ is that the ‘local install’ (not the subscription) of 1Password no longer works in Chrome. I understand the reluctance of updating 1PWD but it forces one to upgrade to the subscription version. I really don’t like subscription software but it seems that is the way of the world now.

The local install (standalone) of 1Password 6 does work IF you keep Chrome at version 99.0.4844.51. I don’t know if this is the fault of Chrome’s developers or 1Password’s (I suspect the latter), but I wonder if Chrome’s developers could adjust current and future versions to work around this blockage and allow users who have long since paid for 1Password 6 to have its functionality in a secure browser.

It appears to be the changes in Chrome. The response I got from 1Password: “On March 15th 2022, Google released Chrome 99, which introduced a new code signing certificate. Because of this change, [1Password 6 for Mac no longer works in Chrome 99 or later]”. I don’t know the specific version of Chrome 99 that was installed at that time, but by using Chrome 98.0.4758.109 1Password continues to work. So far I have not been able to totally disable the auto update of Chrome, but I can replace Chrome 99 with Chrome 98 from backups. As I said, I don’t really blame 1Password but it would be nice if they could make the necessary update to work with the new version of Chrome.

Thank you, bdthompson. I’ve seen the code signing certificate explanation from 1Password, and I’m not sure why they can’t obtain a new certificate for 1Password 6. Anyway, according to a post on extpose.com, you can disable Chrome’s autoupdate with Little Snitch (or, in my case, Lulu). Either of these can be used to block the process “Google Software Update via ksfetch,” which will stop Chrome’s autoupdates. Still, this doesn’t solve the problem of not being able to use 1Password 6 with a security-updated version of Chrome. Both companies claim to be dedicated to end-user security, and usually are, but this situation fails to bear that out.

To expand on my comment above (“I’ve seen the code signing certificate explanation from 1Password, and I’m not sure why they can’t obtain a new certificate for 1Password 6”), the reason Agilebits doesn’t update the 1Password 6 certificate is not that they “can’t”; it’s that they just won’t. Posts about the issue on their user forum basically just say version 6 is no longer maintained, and users’ solution is to just pony up for a subscription. Much the same as OS developers refusing to do critical security updates for operating systems more than a couple of versions old. Big Tech’s attitude toward customers seems to be, “Pay us your money, and then take your chances when we decide we want more.”

I haven’t been able to find Chrome v. 99.0.4844.51 for download. I have been resetting Chrome to v. 98.0.4758.109, as that was the last one I had in Time Machine. I found a couple sites that claimed to have 99.0.4844.51 but when I tried the download it defaulted to the latest version (100.x), I realize that there is potential malware with the older version but I haven’t had any problems (fingers crossed).

OOOPS!! Just did another search of Time Machine and found 99.0.4844.51. That seems to work. We shall see if the edits I did to the updater hold.