Google has revealed four high-security vulnerabilities in Google Chrome. CISA states that users should install the updates immediately.
Google has released a number of Chrome updates that fix seven vulnerabilities - including four high-risk.
Σύμφωνα με προειδοποίηση της Υπηρεσίας Κυβερνοασφάλειας και Υποδομής των Ηνωμένων Πολιτειών (CISA από το Cybersecurity & Infrastructure Agency), οι εισβολείς θα μπορούσαν να εκμεταλλευτούν τα τρωτά points of Google Chrome on Windows, Mac and Linux "to take control of an affected system".
The CISA encourages users to immediately update to the latest version of Google Chrome – 102.0.5005.115 – to prevent exploit of vulnerabilities.
High-security vulnerabilities are CVE-2022-2007, a Use-After-Free (UAF) vulnerability in the WebGPU that allows intruders to exploit the misuse of dynamic memory during program operation to hack into the program.
Το CVE-2022-2008, μια ευπάθεια out-of-bounds memory access στο WebGL, ένα JavaScript API που χρησιμοποιείται στο Google Chrome. Μια ευπάθεια out-of-bounds επιτρέπει στους εισβολείς να διαβάζουν ευαίσθητες πληροφορίες στις οποίες δεν θα έπρεπε να έχουν πρόσβαση.
Other high-risk vulnerabilities in Google Chrome that security fixes fix are:
CVE-2022-2010, an out-of-bounds read vulnerability in the Chrome composition component, and CVE-2022-2011, a UAF vulnerability in ANGLE, an open source, cross-platform graphics engine used in the Chrome backend.
No further details have been released as Google's policy does not allow this unless most Chrome users install the update.
"Access to details and error links may remain restricted until the majority of users have informed. We will also maintain these restrictions if the bug exists in a third-party library on which other projects that have not yet been fixed depend, ”says Google on the release of Chrome.
CVE-2022-2010 was discovered by Google's Project Zero research team, while the other vulnerabilities were discovered by independent security researchers. Security researcher David Manouchehri received a bug bounty of $10.000 for the disclosure of CVE-2022-2007. Bug bounties for researchers who discovered CVE-2022-2008 and CVE-2022-2011 have not yet been announced.
"We would also like to thank all the security researchers who worked with us during the development cycle to prevent security bugs from reaching the fixed channel," Google said.
https://chromereleases.googleblog.com/2022/06/stable-channel-update-for-desktop.html