The US Cybersecurity and Infrastructure Agency (CISA) on Friday urged users and administrators to update to a new version of Chrome that Google released last week to fix a total of seven vulnerabilities in its browser.
In an advisory, Google described four of the flaws — three of which were reported to the company by external researchers — as posing a high risk to organizations. The company said it decided to restrict access to bug details until most users have updated to the new version of Chrome (102.0.5005.115).
One of the vulnerabilities is a so-called gratuitous use-after issue in the WebGPU application programming interface for functions such as computing and rendering on a graphics processing unit. The bug (CVE-2022-2007) is remotely exploitable and may impact the confidentiality, integrity, and availability of affected systems, according to a description of the flaw on the VulDB vulnerability database. “No form of authentication is required for operation. This requires the victim to do some sort of interaction with the user,” VulDB noted.
Google awarded $10,000 to the security researcher who reported the flaw to the company in May. VulDB has estimated the price of an exploit for the flaw to be between $5,000 and $25,000 currently, although that may soon increase, he noted.
The second flaw is an out of bounds memory access usage in the WebGL API for rendering 2D and 3D graphics. Two researchers from Vietnamese company VinCSS Internet Security Services reported the bug (CVE-2022-2008) in April. VulDB described the flaw as being remotely exploitable but requiring at least some user interaction by the victim. The flaw appears to be easily exploitable and requires no authentication, VulDB said. Google’s advisory noted that the reward for disclosing the vulnerability had yet to be determined.
The third high-severity vulnerability addressed by the new version of Chrome (CVE-2022-2010) is an out-of-bounds playback issue in Compositing
or in the rendering of web page content. A security researcher from Google’s Project Zero bug hunting team discovered the vulnerability in May. Like the other two flaws, this one too affects the confidentiality, integrity and availability of affected systems, VulDB said.
The fourth high-severity vulnerability Google disclosed is a use-after-release issue that an external security researcher reported to the company in May. The flaw (CVE-2022-2011) exists in ANGLE, a feature that Google describes as a “near-native graphics layer engine” in Chrome. The memory corruption vulnerability has nearly the same impact as the other three, according to VulDB’s description of the issue.
CISA: Flaws allow attackers to take control of affected systems
The ACSC urged organizations to review Google Chrome’s release note and apply the update to mitigate risk. Google has released chrome version 102.0.5005.115 for Windows, Mac, and Linux. This release fixes vulnerabilities that an attacker could exploit to gain control of an affected system,” he said.
The seven bugs that Google fixed with its latest version of Chrome are considerably smaller than other recent Chrome-related bug disclosures from the company. A Chrome update that Google released on May 24 included fixes for 32 flaws, one of which was rated critically severe while seven others were rated highly critical. Another update, also in May, contained fixes for 13 flaws, eight of which the company deemed very serious.