Register now for better personalized quote!

Time to update: Google patches seven Chrome browser bugs, four rated 'high' risk

Jun, 13, 2022 Hi-network.com

Google has released updates for Chrome to fix seven security vulnerabilities -including four classed as high risk -discovered in the browser used by millions around the world. 

According to an alert by the United States Cybersecurity & Infrastructure Agency (CISA), attackers could exploit the vulnerabilities in Google Chrome for Windows, Mac and Linux "to take control of an affected system".

Security

  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

CISA encourages users to update to the latest version of Google Chrome -102.0.5005.115 -to prevent the security vulnerabilities from being exploited. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

The high-risk vulnerabilities are CVE-2022-2007, a Use-After-Free (UAF) vulnerability in WebGPU, which allows attackers to exploit incorrect use of dynamic memory during program operation to hack the program, and CVE-2022-2008, an out-of-bounds memory access vulnerability in WebGL, a JavaScript API used in Google Chrome. An out-of-bounds vulnerability enables attackers to read sensitive information they shouldn't have access to. 

The other high-risk vulnerabilities in Google Chrome that the security update fixes are CVE-2022-2010, an out-of-bounds read vulnerability in Chrome's compositing component and CVE-2022-2011, a UAF vulnerability in ANGLE, an open source, cross-platform graphics engine abstraction layer used in the backend of Chrome. 

Full details of how attackers can exploit the high-risk vulnerabilities have yet to be disclosed, in accordance with Google's policy of waiting for most users to apply the updates before revealing more. 

"Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed," said the Google blog post about the Chrome release. 

CVE-2022-2010 was uncovered by Google's Project Zero research team, while the others were discovered by independent security researchers. Security researcher David Manouchehri received a bug bounty of$10,000 for disclosing CVE-2022-2007. Bug bounties for the researchers who discovered CVE-2022-2008 and CVE-2022-2011 are yet to be determined. 

"We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," said Google. 

MORE ON CYBERSECURITY

  • This one change could protect your systems from attack. So why don't more companies do it?
  • The stakes 'could not be any higher': CISA chief talks about the tech challenges ahead
  • You've still not patched it? Hackers are using these old software flaws to deliver ransomware
  • Time to update: Google's Android updates fixes 41 flaws, five critical
  • CISA warning: Hackers are exploiting these 36 "significant" cybersecurity vulnerabilities - so patch now

tag-icon Hot Tags : Tech Security

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.