A new patch for the Google Chrome browser fixes seven critical security vulnerabilities. Four of these vulnerabilities have been rated as high risk by the US Cybersecurity & Infrastructure Agency (CISA). The agency is asking all users to download the latest iteration of Chrome (v102.0.5005.115) to protect themselves.
The new Chrome patch is available for Windows, Mac and Linux users affected by these vulnerabilities
According to CISA, these Chrome vulnerabilities are present on Windows, Linux, and Mac versions of the browser. So users who have auto-update turned on for Chrome should already be safe. High-risk vulnerabilities include CVE-2022-2007, CVE-2022-2008, CVE-2022-2010, and CVE-2022-2011.
CVE-2022-2007 is a UAF (Use-After-Free) vulnerability present in WebGPU, allowing attackers to exploit the misuse of dynamic memory during program operation and possibly hack the program. Meanwhile, Google defines CVE-2022-2008 as “Memory access out of bounds in WebGL”.
CVE-2022-2010 is an out-of-bounds read vulnerability in the browser. The fourth high-risk vulnerability, CVE-2022-2011, is a UAF vulnerability within the Cross-Platform Graphics Engine (ANGLE) mining layer.
Google does not offer a full picture of how attackers might exploit the vulnerability. This is in line with company policy not to release full details of high-risk vulnerabilities until all users have installed the patch.
“Access to bug details and links may be restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that others projects are similarly dependent, but have not yet been fixed,” Google said in a statement. blog post (Going through ZDNet).
The discovery of CVE-2022-2010 came from the Google Project Zero research group. Others have come from independent researchers, including David Manouchehri, Tran Van Khang and SeongHwan Park. While Manouchehri will receive a $10,000 bounty for identifying CVE-2022-2007, the reward amount for the remaining two researchers is “to be determined.”
CISA added 36 security vulnerabilities to its catalog last week
Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added 36 new security vulnerabilities to its long catalog. The agency said these flaws were a frequent attack vector and could put individuals at “significant risk”.
These newly discovered vulnerabilities belong to a diverse group of companies and brands, including Adobe, Cisco, Google, Microsoft, Netgear, and QNAP, etc.