Wednesday, December 4, 2024

Zero-Day: Chrome browser gets 11 security fixes – update now!

The latest update to Google’s Chrome browser is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or to 104.0.5112.102 (Windows).

According to Google, the new version includes 11 security fixes, one of which is annotated with the remark that “an exploit [for this vulnerability] exists in the wild”, making it a zero-day hole.

The name zero-day is a reminder that there were zero days on which even the most well-informed and proactive user or sysadmin could have been patched ahead of the Bad Guys.

Update details

Details about the updates are scant, given that Google, in common with many other vendors these days, restricts access to bug details “until a majority of users are updated with a fix”.

But Google’s release bulletin explicitly enumerates 10 of the 11 bugs, as follows:

  • CVE-2022-2852: Use after free in FedCM.
  • CVE-2022-2854: Use after free in SwiftShader.
  • CVE-2022-2855: Use after free in ANGLE.
  • CVE-2022-2857: Use after free in Blink.
  • CVE-2022-2858: Use after free in Sign-In Flow.
  • CVE-2022-2853: Heap buffer overflow in Downloads.
  • CVE-2022-2856: Insufficient validation of untrusted input in Intents. (Zero-day.)
  • CVE-2022-2859: Use after free in Chrome OS Shell.
  • CVE-2022-2860: Insufficient policy enforcement in Cookies.
  • CVE-2022-2861: Inappropriate implementation in Extensions API.

As you can see, seven of these bugs were caused by memory mismanagement.

use-after-free vulnerability means that one part of Chrome handed back a memory block that it wasn’t planning to use any more, so that it could be reallocated for use elsewhere in the software…

Recommended:  Critical Gems Takeover Bug Reported in RubyGems Package Manager

…only to carry on using that memory anyway, thus potentially causing one part of Chrome to rely on data it thought it could trust, without realising that another part of the software might still be tampering with that data.

Often, bugs of this sort will cause the software to crash completely, by messing up calculations or memory access in an unrecoverable way.

Sometimes, however, use-after-free bugs can be triggered deliberately in order to misdirect the software so that it misbehaves (for example by skipping a security check, or trusting the wrong block of input data) and provokes unauthorised behaviour.

heap buffer overflow means asking for a block of memory, but writing out more data than will fit safely into it.

This overflows the officially-allocated buffer and overwrites data in the next block of memory along, even though that memory might already be in use by some other part of the program.

Buffer overflows therefore typically produce similar side-effects to use-after-free bugs: mostly, the vulnerable program will crash; sometimes, however, the program can be tricked into running untrusted code without warning.

The zero-day hole

The zero-day bug CVE-2022-2856 is presented with no more detail than you see above: “Insufficient validation of untrusted input in Intents.”

A Chrome Intent is a mechanism for triggering apps directly from a web page, in which data on the web page is fed into an external app that’s launched to process that data.

Google hasn’t provided any details of which apps, or what sort of data, could be maliciously manipulated by this bug…

Recommended:  Apple patches new zero-day actively exploited in the wild

…but the danger seems rather obvious if the known exploit involves silently feeding a local app with the sort of risky data that would normally be blocked on security grounds.

What to do?

Chrome will probably update itself, but we always recommend checking anyway.

On Windows and Mac, use More > Help > About Google Chrome > Update Google Chrome.

There’s a separate release bulletin for Chrome for iOS, which goes to version 104.0.5112.99, but no bulletin yet [2022-08-17T12:00Z] that mentions Chrome for Android.

On iOS, check that your App Store apps are up-to-date. (Use the App Store app itself to do this.)

You can watch for any forthcoming update announcement about Android on Google’s Chrome Releases blog

The open-source Chromium variant of the proprietary Chrome browser is also currently at version 104.0.5112.101.

Microsoft Edge security notes, however, currently [2022-08-17T12:00Z] say:

August 16, 2022

Microsoft is aware of the recent exploit existing in the wild. We are actively working on releasing a security patch as reported by the Chromium team.

You can keep your eye out for an Edge update on Microsoft’s official Edge Security Updates page.

source

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today.

Remember, CyberSecurity Starts With You!

  • Globally, 30,000 websites are hacked daily.
  • 64% of companies worldwide have experienced at least one form of a cyber attack.
  • There were 20M breached records in March 2021.
  • In 2020, ransomware cases grew by 150%.
  • Email is responsible for around 94% of all malware.
  • Every 39 seconds, there is a new attack somewhere on the web.
  • An average of around 24,000 malicious mobile apps are blocked daily on the internet.
Bookmark
Please login to bookmarkClose
Recommended:  Unpatched Critical Atlassian Confluence Zero-Day RCE Flaw Actively Exploited
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security