Security
Headlines
HeadlinesLatestCVEs

Headline

Update Google Chrome now! New version includes 11 important security patches

Google has issued an update for the Chrome browser that includes 11 security fixes, including 5 with a high severity The post Update Google Chrome now! New version includes 11 important security patches appeared first on Malwarebytes Labs.

Malwarebytes
#vulnerability#web#android#mac#windows#google#linux#java#pdf#chrome

The latest Google Chrome update includes 11 security fixes, some of which could be exploited by an attacker to take control of an affected system. Google Chrome’s Stable channel has been updated to 103.0.5060.134 for Windows, Mac, and Linux, and the new version will roll out over the coming days/weeks.

Vulnerabilities

Of the 11 security fixes five are use-after-free issues, including four that are marked with a severity of “high.” Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The four high-severity use-after-free vulnerabilities resolved with the latest Chrome update are tracked as follows:

CVE-2022-2477 is a use-after-free vulnerability in Guest View that could allow arbitrary code execution following interaction by the victim.

CVE-2022-2478 is a use-after-free vulnerability in Chrome’s PDF handling code. Not many details are available but the attacker needs the victim to engage in some kind of user interaction to exploit this vulnerability.

CVE-2022-2479 is caused by insufficient validation of untrusted input in File. No further details were given but successful exploitation requires user interaction by the victim.

CVE-2022-2480 is a use-after-free vulnerability in Chrome’s Service Worker API. (Service workers are specialized JavaScript assets that act as proxies between web browsers and web servers.)

CVE-2022-2481 is a use-after-free vulnerability in Views. The Chrome user interface is constructed of a tree of components called Views. These Views are responsible for rendering, layout, and event handling.

How to protect yourself

If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Android users will also find an update waiting.

The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

Chrome is up to date

After the update the version should be 103.0.5060.134 or later.

Stay safe, everyone!

Related news

CVE-2022-43449: en/security-disclosure/2022/2022-11.md · OpenHarmony/security - Gitee.com

OpenHarmony-v3.1.2 and prior versions had an Arbitrary file read vulnerability via download_server. Local attackers can install an malicious application on the device and reveal any file from the filesystem that is accessible to download_server service which run with UID 1000.

Gentoo Linux Security Advisory 202208-35

Gentoo Linux Security Advisory 202208-35 - Multiple vulnerabilities have been found in Chromium and its derivatives, the worst of which could result in remote code execution. Versions less than 104.0.5112.101 are affected.

CVE-2022-2481: Stable Channel Update for Desktop

Use after free in Views in Google Chrome prior to 103.0.5060.134 allowed a remote attacker who convinced a user to engage in specific user interactions to potentially exploit heap corruption via UI interaction.