The US Cybersecurity and Infrastructure Agency (CISA) Friday urged users and administrators to update to a new version of Chrome that Google released last week to fix a total of seven vulnerabilities in its browser.
In an advisory, Google described four of the flaws — three of which were reported to the company by external researchers — as presenting a high risk for organizations. The company said it had decided to restrict access to bug details until most users have updated to the new version of Chrome (102.0.5005.115).
One of the vulnerabilities is a so-called use after free issue in the WebGPU application programming interface for functions such as computation and rendering on a Graphics Processing Unit. The bug (CVE-2022-2007) is remotely exploitable and can have an impact on the confidentiality, integrity, and availability of affected systems, according to a description of the flaw on vulnerability database VulDB. “No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction,” VulDB noted.
Google awarded $10,000 to the security researcher who reported the flaw to the company in May. VulDB estimated the price for an exploit for the flaw to be between $5,000 and $25,000 currently, though that could go up soon, it noted.
The second flaw is an out-of-bounds memory access use in the WebGL API for rendering 2D and 3D graphics. Two researchers from Vietnamese firm VinCSS Internet Security Services reported the bug (CVE-2022-2008) in April. VulDB described the flaw as being remotely exploitable but requiring at least some user interaction by the victim. The flaw appears to be easily exploitable and requires no authentication, VulDB said. Google’s advisory noted the reward for disclosing the vulnerability had yet to be determined.
The third high-severity vulnerability that the new Chrome version addresses (CVE-2022-2010) is an out-of-bound read issue in compositing or in rendering Web page content. A security researcher with Google’s own Project Zero bug hunting team discovered the vulnerability in May. Like the other two flaws, this one also affects the confidentiality, integrity, and availability of affected systems, VulDB said.
The fourth high severity vulnerability that Google disclosed is a use-after-free issue that an external security researcher reported to the company in May. The flaw (CVE-2022-2011) exists in ANGLE, a function that Google describes as an “almost native Graphics Layer engine” in Chrome. The memory corruption vulnerability has a near identical impact as the other three, based on VulDB’s description of the issue.
CISA: Flaws Allow Attackers to Take Control of Affected Systems
CISA urged organizations to review Google’s Chrome release note and apply the update to mitigate risk. “Google has released Chrome version 102.0.5005.115 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system,” it said.
The seven flaws that Google addressed with its latest Chrome version is considerably smaller in number than some other recent Chrome-related bug disclosures from the company. A Chrome update that Google released on May 24 included fixes for 32 flaws, one of which was rated as being of critical severity while seven others were rated as being highly critical. Another update, also in May, contained fixes for 13 flaws, eight of which the company rated as being of high severity.