A new fix for the Google Chrome browser is fixing seven critical security vulnerabilities. Four of these vulnerabilities were termed high-risk by the U.S. Cybersecurity & Infrastructure Agency (CISA). The agency is asking all users to download the newest iteration of Chrome (v102.0.5005.115) to keep themselves protected.
The new Chrome fix is available for Windows, Mac, and Linux users affected by these vulnerabilities
According to CISA, these vulnerabilities on Chrome are present on Windows, Linux, and Mac versions of the browser. So users who have auto-update enabled for Chrome should be safe already. Among the high-risk vulnerabilities are CVE-2022-2007, CVE-2022-2008, CVE-2022-2010, and CVE-2022-2011.
The CVE-2022-2007 is a UAF (Use-After-Free) vulnerability present in WebGPU, enabling attackers to exploit the wrong use of dynamic memory during program operation and eventually hack the program. Meanwhile, Google defines CVE-2022-2008 as “Out of bounds memory access in WebGL.”
CVE-2022-2010 is an out-of-bounds read vulnerability within the browser. The fourth high-risk vulnerability, CVE-2022-2011, is a UAF vulnerability within the cross-platform graphics engine extraction layer (ANGLE).
Google isn’t offering the full picture of how attackers could exploit the vulnerability. This is in line with the company’s policy to not disclose all the details on high-risk vulnerabilities until all users have installed the patch.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” Google said in a blog post (via ZDNet).
The discovery of CVE-2022-2010 came from the Google Project Zero research group. Others came from independent researchers, including David Manouchehri, Tran Van Khang, and SeongHwan Park. While Manouchehri will receive a bounty of $10,000 for identifying CVE-2022-2007, the reward amount for the remaining two researchers is “TBD.”
The CISA added 36 security vulnerabilities to its catalog last week
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added 36 new security vulnerabilities to its lengthy catalog. The agency said these loopholes were a frequent attack vector and could expose individuals to “significant risk.”
These newly discovered vulnerabilities belong to a varied group of companies and brands, including Adobe, Cisco, Google, Microsoft, Netgear, and QNAP, etc.