Headline
Google Fixes 24 Vulnerabilities With New Chrome Update
But one issue that lets websites overwrite content on a user’s system clipboard appears unfixed in the new Version 105 of Chrome.
Google’s first stable channel version of Chrome 105 for Windows, Mac, and Linux, released this week, contained fixes for 24 vulnerabilities in previous versions of the software, including one “critical” flaw and eight that the company rated as being of “high” severity.
A plurality — nine — of the security issues that Google addressed with Chrome 105 were so-called use-after-free vulnerabilities, or flaws that allow attackers to use previously freed memory spaces to execute malicious code, corrupt data, and take other malicious actions. Four of the patched vulnerabilities were heap buffer-overflows in various Chrome components, including WebUI and Screen Capture.
Attackers often exploit buffer overflows for a variety of malicious purposes, including executing random code, overwriting data, crashing systems, and triggering denial-of-service conditions.
Clipboard Overwriting
One issue that Google does not appear to have fixed in the update centers around clipboards. According to Malwarebytes, when users of Google Chrome — or any Chromium-based browser — visit a website, the site can push any content they want to the user’s OS clipboard, without the user’s permission or any interaction.
“This means that by simply visiting a website, the data on your clipboard may be overwritten without your consent or knowledge,” Malwarebytes said.
This can result in users losing valuable data they might have wanted to cut and paste elsewhere while also giving attackers an opening to try and sneak malicious code on a user’s system, the security vendor said. The problem has to do with the absence of any requirement in Chrome and Chromium-based browser for users to take specific steps such as using “Ctrl+C” to copy content from a website to the user’s clipboard, Malwarebytes said.
Security researcher Jeff Johnson identified the issue with Chrome as part of a broader problem that impacts both Safari and Firefox as well. “Chrome is currently the worst offender, because the user gesture requirement for writing to the clipboard was accidentally broken in version 104,” he said in a report this week.
However, the reality is that users of other browsers such as Firefox and Safari can have websites overwriting their system clipboards more easily than they realize, Johnson said. Though both these browsers require users to take some action to copy website content to their clipboards, the actions are a lot broader than they might imagine.
For instance, actions like focusing out on a screen, or pressing keydown/ keyup and mousedown/ mouseup, can result in website content getting copied to the clipboard without the user’s knowledge, Johnson said.
The researcher noted that Chrome developers are already aware of the issue and are addressing it. Google did not immediately response to a Dark Reading request for comment.
“Attackers may abuse this bug to copy malicious links to users’ clipboards, which could result in users pasting those links in their address bar and accessing malicious sites accidentally,” says Ivan Righi, senior cyber threat analyst at Digital Shadows.
“Another way this bug could be exploited is to conduct fraudulent cryptocurrency transactions. Threat actors could leverage the flaw in conjunction with social engineering attacks to get users to enter the wrong wallet addresses for transactions,” Righi says. However, the likelihood of such attacks being successful is low because users are likely going to notice abnormal contents placed on their clipboard, he says.
A Plethora of Use-After-Free Issues
Meanwhile, the sole critical vulnerability (CVE-2022-3038) Google addressed with the stable version of Chrome 105 was reported by a security researcher from its own Project Zero bug hunting team: The use-after-free flaw in Google Chrome Network Service gives remote attackers a way to execute arbitrary code or trigger denial of service conditions on user systems by getting them to visit a weaponized website.
External bug hunters and security researchers reported all the remaining vulnerabilities that Google addressed this week in Chrome. The most consequential among them appears to have been CVE-2022-3039, a high-severity, user-after-free vulnerability in WebSQL that two researchers from China’s 360 Vulnerability Research Institute reported to Google. The researchers received $10,000 for reporting the bug to Google — the highest amount awarded in the current set.
Another high-impact, use-after-free flaw in Chrome Layout garnered $9,000 for the anonymous security researcher that reported the issue to Google. Bounties for the remaining bugs ranged from $1,000 to $7,500. Google has not yet determined rewards for four bug disclosures.
As has become standard practice among major vendors, Google said it has restricted access to bug details until most users have an opportunity to implement the new, stable version of Chrome.
“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed,” Google said in a blog this week. A senior Microsoft security executive had recently used the same reason to explain why Microsoft’s bug disclosures also contain scant details these days.
While the bug fixes are almost certainly the primary reason why users might want to update to the stable version of Chrome 105, the new browser version also introduces a handful of additional features. These include features that allow developers to add windows controls button — such as closing, maximizing, or minimizing — to progressive Web apps, a new picture-in-picture API for Chrome on Android, and improvements to Chrome’s Navigation API.
Related news
Google has assigned a new CVE identifier for a critical security flaw in the libwebp image library for rendering images in the WebP format that has come under active exploitation in the wild. Tracked as CVE-2023-5129, the issue has been given the maximum severity score of 10.0 on the CVSS rating system. It has been described as an issue rooted in the Huffman coding algorithm - With a specially
Google TAG researchers reveal two campaigns against iOS, Android, and Chrome users that demonstrate how the commercial surveillance market is thriving despite government-imposed limits.
A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group (TAG) has revealed. The two distinct campaigns were both limited and highly targeted, taking advantage of the patch gap between the release of a fix and when it was actually deployed on the targeted devices. "These
platform_callback_stub in misc subsystem within OpenHarmony-v3.0.5 and prior versions has an authentication bypass vulnerability which allows an "SA relay attack".Local attackers can bypass authentication and attack other SAs with high privilege.
Gentoo Linux Security Advisory 202209-23 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 105.0.5195.125 are affected.
Use after free in WebSQL in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Use after free in Network Service in Google Chrome prior to 105.0.5195.52 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.