Google has released a security update for its Google Chrome browser on Windows, Mac and Linux to fix ten security vulnerabilities, some of which could allow remote attackers to crash vulnerable systems.
Google has detailed some of the fixes in a Google Chrome release update – although the company is currently withholding full details about many of the issues until most users have applied the updates, which are due to rollout over the coming days and weeks.
In total, the latest Google Chrome update includes 10 security updates – which are also available for Google Chrome on mobile devices unless otherwise indicated. Six of the updates have been classified as ‘high severity’. That means the updates should be applied as soon as possible.
The vulnerabilities could potentially enable a remote attacker to exploit ‘heap corruption’ via a crafted HTML page. The corruption affects the ‘heap’, an area of pre-reserved computer memory that a program uses to store a variable amount of data.
Heap corruption occurs when a program damages the view of the heap, which can result in a memory fault to the extent it could cause a crash.
Also: Google’s hackers: Inside the cybersecurity red team that keeps Google safe
CVE-2022-3885 is a vulnerability in V8, the open-source JavaScript engine developed by the Chromium Project for Google Chrome and Chromium web browsers which could cause heat corruption, while CVE-2022-3886 is a vulnerability in Speech Recognition in Google Chrome which can be exploited for the same effect.
CVE-2022-3887 is a vulnerability in Web Workers, which is used in Google Chrome to run scripts in the background without interfering with the user interface. CVE-2022-3888 is a vulnerability in WebCodecs in Google Chrome, which is used to provide low-level access to media encoders and decoders.
Meanwhile, CVE-2022-3889 is a type confusion vulnerability in V8, providing the program with the wrong code. Each of these vulnerabilities can allow attackers to exploit heat corruption vulnerabilities.
The last of the vulnerabilities to have been listed publicly Is CVE-2022-3890, a heap buffer overflow in Crashpad in Google Chrome on Android, which could allow a remote attacker to perform a sandbox escape, potentially enabling them to escalate privileges across an entire host environment.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Google, which paid bug bounty rewards of between $7,000 and $21,000 to the researchers who discovered them.
It’s recommended that users apply the Google Chrome security patch for 107.0.5304.110 for Mac and Linux and 107.0.5304.106/.107 for Windows when it becomes available, in order to protect systems from potential attacks.
MORE ON CYBERSECURITY