Google has released updates for Chrome to fix seven security vulnerabilities – including four classed as high risk – discovered in the browser used by millions around the world.
According to an alert by the United States Cybersecurity & Infrastructure Agency (CISA), attackers could exploit the vulnerabilities in Google Chrome for Windows, Mac and Linux “to take control of an affected system”.
CISA encourages users to update to the latest version of Google Chrome – 102.0.5005.115 – to prevent the security vulnerabilities from being exploited.
SEE: A winning strategy for cybersecurity (ZDNet special report)
The high-risk vulnerabilities are CVE-2022-2007, a Use-After-Free (UAF) vulnerability in WebGPU, which allows attackers to exploit incorrect use of dynamic memory during program operation to hack the program, and CVE-2022-2008, an out-of-bounds memory access vulnerability in WebGL, a JavaScript API used in Google Chrome. An out-of-bounds vulnerability enables attackers to read sensitive information they shouldn’t have access to.
The other high-risk vulnerabilities in Google Chrome that the security update fixes are CVE-2022-2010, an out-of-bounds read vulnerability in Chrome’s compositing component and CVE-2022-2011, a UAF vulnerability in ANGLE, an open source, cross-platform graphics engine abstraction layer used in the backend of Chrome.
Full details of how attackers can exploit the high-risk vulnerabilities have yet to be disclosed, in accordance with Google’s policy of waiting for most users to apply the updates before revealing more.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” said the Google blog post about the Chrome release.
CVE-2022-2010 was uncovered by Google’s Project Zero research team, while the others were discovered by independent security researchers. Security researcher David Manouchehri received a bug bounty of $10,000 for disclosing CVE-2022-2007. Bug bounties for the researchers who discovered CVE-2022-2008 and CVE-2022-2011 are yet to be determined.
“We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel,” said Google.