Saturday, November 23, 2024

37 new vulnerabilities have been found in Google Chrome

Google Chrome users need to be on high alert. After a record breaking number of attacks last year, Google has already issued the first serious new upgrade warning of 2022 to all the browser’s two billion users. 

Google Issues Warning For 2 Billion Chrome Users

Google confirmed the news in a new blog post, where it revealed an eye-opening 37 security vulnerabilities have been discovered. Google has classified 10 of these vulnerabilities as posing a ‘High’ threat level with a further hack ranked as critically dangerous. Linux, macOS and Windows users are all affected and need to take immediate action. 

Google is currently restricting information about all the new attacks to buy Chrome users time, but it has revealed the areas that these top threats are targeting: 

  • Critical – CVE-2022-0096: Use after free in Storage. Reported by Yangkang (@dnpushme) of 360 ATA on 2021-11-30
  • High – CVE-2022-0097: Inappropriate implementation in DevTools. Reported by David Erceg on 2020-08-17
  • High – CVE-2022-0098: Use after free in Screen Capture. Reported by @ginggilBesel on 2021-11-24
  • High – CVE-2022-0099: Use after free in Sign-in. Reported by Rox on 2021-09-01
  • High – CVE-2022-0100: Heap buffer overflow in Media streams API. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-08-10
  • High – CVE-2022-0101: Heap buffer overflow in Bookmarks. Reported by raven (@raid_akame)  on 2021-09-14
  • High – CVE-2022-0102: Type Confusion in V8 . Reported by Brendon Tiszka on 2021-10-14
  • High – CVE-2022-0103: Use after free in SwiftShader. Reported by Abraruddin Khan and Omair  on 2021-11-21
  • High – CVE-2022-0104: Heap buffer overflow in ANGLE. Reported by Abraruddin Khan and Omair on 2021-11-25
  • High – CVE-2022-0105: Use after free in PDF. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2021-11-28
  • High – CVE-2022-0106: Use after free in Autofill. Reported by Khalil Zhani on 2021-12-10
chrome 0day
Goole Chrome

It may be a new year, but these threats follow a familiar pattern. ‘Use-After-Free’ (UAF) exploits have been the favored route of attack on Chrome for several months now and make up the majority of exploits once again. There have now been almost 50 UAF vulnerabilities found in Chrome since September. UAF vulnerabilities are memory exploits created when a program fails to clear the pointer to the memory after it is freed. 

Recommended:  Microsoft closes two avenues of attack: Office macros, RDP brute-forcing

Heap buffer overflow flaws also remain a popular route of attack. Also referred to as ‘Heap Smashing’, memory on the heap is dynamically allocated and typically contains program data. With an overflow, critical data structures can be overwritten which makes it an ideal target for hackers. 

What You Need To Do

In response to these threats, Google has released Chrome 97, a major new version of Chrome, to all users. Google warns that this release (exact version number 97.0.4692.71) “will roll out over the coming days/weeks”. This means you may not be able to protect yourself immediately. 

Am I Protected ?

To check if you are protected, navigate to Settings > Help > About Google Chrome. If your Chrome browser is listed as 97.0.4692.71 or higher, you are safe. If the update is not yet available for your browser, it is important that you check regularly for the new version. And remember, it is critical that you restart your browser after you have updated because you are not protected until this is done. Something many users forget. 

Browser hacks broke records in 2021 and I fully expect them to be smashed again in 2022. So start the new year with a good deed and make checking your browser version the very next thing you do. Do it now. 

Bookmark
Please login to bookmarkClose
Share the word, let's increase Cybersecurity Awareness as we know it
- Sponsored -

Sponsored Offer

Unleash the Power of the Cloud: Grab $200 Credit for 60 Days on DigitalOcean!

Digital ocean free 200

Discover more infosec

Steven Black (n0tst3)
Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK. I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated... I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK. I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

more infosec reads

Subscribe for weekly updates

explore

more

security