The US Cybersecurity and Infrastructure Company (CISA) Friday urged customers and directors to replace to a brand new model of Chrome that Google launched final week to repair a complete of seven vulnerabilities in its browser.
In an advisory, Google described 4 of the failings — three of which have been reported to the corporate by exterior researchers — as presenting a excessive danger for organizations. The corporate mentioned it had determined to limit entry to bug particulars till most customers have up to date to the brand new model of Chrome (102.0.5005.115).
One of many vulnerabilities is a so-called use after free subject within the WebGPU software programming interface for features corresponding to computation and rendering on a Graphics Processing Unit. The bug (CVE-2022-2007) is remotely exploitable and might have an effect on the confidentiality, integrity, and availability of affected methods, in keeping with a description of the flaw on vulnerability database VulDB. “No type of authentication is required for exploitation. It calls for that the sufferer is performing some sort of person interplay,” VulDB famous.
Google awarded $10,000 to the safety researcher who reported the flaw to the corporate in Might. VulDB estimated the worth for an exploit for the flaw to be between $5,000 and $25,000 at the moment, although that might go up quickly, it famous.
The second flaw is an out-of-bounds reminiscence entry use within the WebGL API for rendering 2D and 3D graphics. Two researchers from Vietnamese agency VinCSS Web Safety Providers reported the bug (CVE-2022-2008) in April. VulDB described the flaw as being remotely exploitable however requiring no less than some person interplay by the sufferer. The flaw seems to be simply exploitable and requires no authentication, VulDB mentioned. Google’s advisory famous the reward for disclosing the vulnerability had but to be decided.
The third high-severity vulnerability that the brand new Chrome model addresses (CVE-2022-2010) is an out-of-bound learn subject in compositing
or in rendering Net web page content material. A safety researcher with Google’s personal Undertaking Zero bug searching staff found the vulnerability in Might. Like the opposite two flaws, this one additionally impacts the confidentiality, integrity, and availability of affected methods, VulDB mentioned.
The fourth excessive severity vulnerability that Google disclosed is a use-after-free subject that an exterior safety researcher reported to the corporate in Might. The flaw (CVE-2022-2011) exists in ANGLE, a operate that Google describes as an “virtually native Graphics Layer engine” in Chrome. The reminiscence corruption vulnerability has a close to similar affect as the opposite three, primarily based on VulDB’s description of the difficulty.
CISA: Flaws Enable Attackers to Take Management of Affected Techniques
CISA urged organizations to overview Google’s Chrome launch notice and apply the replace to mitigate danger. “Google has launched Chrome model 102.0.5005.115 for Home windows, Mac, and Linux. This model addresses vulnerabilities that an attacker might exploit to take management of an affected system,” it mentioned.
The seven flaws that Google addressed with its newest Chrome model is significantly smaller in quantity than another current Chrome-related bug disclosures from the corporate. A Chrome replace that Google launched on Might 24 included fixes for 32 flaws, one among which was rated as being of crucial severity whereas seven others have been rated as being extremely crucial. One other replace, additionally in Might, contained fixes for 13 flaws, eight of which the corporate rated as being of excessive severity.