Google has revealed four high-security vulnerabilities in Google Chrome. CISA states that users should install the updates immediately.
Google has released a number of Chrome updates that fix seven vulnerabilities - including four high-risk.
According to a warning from the United States Cybersecurity and Infrastructure Administration (CISA from Cybersecurity & Infrastructure Agency), attackers could exploit the vulnerable points of Google Chrome on Windows, Mac and Linux "to take control of an affected system".
The CISA encourages let users know right away about the latest version of Google Chrome - 102.0.5005.115 - to prevent vulnerabilities from being exploited.
High-security vulnerabilities are CVE-2022-2007, a Use-After-Free (UAF) vulnerability in the WebGPU that allows intruders to exploit the misuse of dynamic memory during program operation to hack into the program.
CVE-2022-2008, an out-of-bounds vulnerability memory access to WebGL, a JavaScript API used in Google Chrome. An out-of-bounds vulnerability allows attackers to read sensitive information that they shouldn't have access to.
Other high-risk vulnerabilities in Google Chrome that security fixes fix are:
CVE-2022-2010, an out-of-bounds read vulnerability in the Chrome synthesis and CVE-2022-2011, a UAF vulnerability in ANGLE, an open source, cross-platform graphics engine used in the Chrome backend.
No further details have been released as Google's policy does not allow this unless most Chrome users install the update.
"Access to details and error links may remain restricted until the majority of users have informed. We will also maintain these restrictions if the bug exists in a third-party library on which other projects that have not yet been fixed depend, ”says Google on the release of Chrome.
CVE-2022-2010 was discovered by Google's Project Zero research team, while the other vulnerabilities were discovered by independent researchers security. Security researcher David Manouchehri received a $10.000 bug bounty for uncovering CVE-2022-2007. Bug bounties for researchers who discovered CVE-2022-2008 and CVE-2022-2011 have not yet been announced.
"We would also like to thank all the security researchers who worked with us during the development cycle to prevent security bugs from reaching the fixed channel," Google said.
https://chromereleases.googleblog.com/2022/06/stable-channel-update-for-desktop.html