Google has released Chrome updates to address seven security flaws discovered in the browser used by millions around the world, four of which are classified as high risk.
According to a US Cybersecurity & Infrastructure Agency (CISA) alert, attackers could exploit vulnerabilities in Google Chrome for Windows, Mac, and Linux “to take control of an affected system.”
CISA recommends that users update to the latest version of Google Chrome – 102.0.5005.115 – to avoid exploiting the security vulnerabilities.
CVE-2022-2007 is a Use-After-Free (UAF) vulnerability in WebGPU that allows attackers to hack the program by incorrectly using dynamic memory during program operation, and CVE-2022-2008 is an out-of-bounds memory access vulnerability in WebGL, a JavaScript API used in Google Chrome. An out-of-bounds vulnerability allows attackers to access sensitive information that they should not have access to.
The security update also addresses CVE-2022-2010, an out-of-bounds read vulnerability in Chrome’s compositing component, and CVE-2022-2011, a UAF vulnerability in ANGLE, an open-source, cross-platform graphics engine abstraction layer used in Chrome’s backend.
Google’s Project Zero research team discovered CVE-2022-2010, while the others were discovered by independent security researchers. David Manouchehri, a security researcher, received a $10,000 bug bounty for disclosing CVE-2022-2007. The researchers who discovered CVE-2022-2008 and CVE-2022-2011 will receive bug bounties.
According to a Google blog post about the Chrome release, “access to bug details and links may be restricted until a majority of users have been updated with a fix; we will also retain restrictions if the bug exists in a third-party library on which other projects similarly rely, but haven’t yet fixed.”
Full details on how attackers can exploit the high-risk vulnerabilities have yet to be revealed, by Google’s policy of waiting for the majority of users to apply the updates before revealing more.