Chrome browser receives 11 security patches including 1 zero-day – update now! – Bare Security
Google’s latest Chrome browser update is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or for 104.0.5112.102 (The Windows).
According to Google, the new version includes 11 security patches, one of which is annotated with the note that ” a feat [for this vulnerability] exists in the wild”making it a zero day hole.
The name zero-day is a reminder that there were zero days in which even the most informed and proactive user or system administrator could have been fixed before the bad guys.
Update details are sparse, as Google, like many other vendors these days, limits access to bug details. “until a majority of users are updated with a fix”.
But Google’s release bulletin explicitly lists 10 of the 11 bugs, as follows:
- CVE-2022-2852: Use after free in FedCM.
- CVE-2022-2854: Use after free in SwiftShader.
- CVE-2022-2855: Use after free in ANGLE.
- CVE-2022-2857: Use after free in Blink.
- CVE-2022-2858: To be used after free in the login flow.
- CVE-2022-2853: Heap buffer overflow in downloads.
- CVE-2022-2856: Insufficient validation of untrusted inputs in intents. (Day zero.)
- CVE-2022-2859: Use after free in Chrome OS Shell.
- CVE-2022-2860: Insufficient application of the policy in cookies.
- CVE-2022-2861: Improper implementation in the Extensions API.
As you can see, seven of these bugs were caused by poor memory management.
A use-after-free The vulnerability means that part of Chrome returned a block of memory it no longer planned to use, so it could be reallocated for use elsewhere in the software…
…only to keep using that memory anyway, which could cause one part of Chrome to rely on data it thought it could trust, not realizing that another part of the software could still tamper with that data .
Often, bugs of this type cause a complete software crash, disrupting calculations or memory access beyond repair.
Sometimes, however, use-after-release bugs can be deliberately triggered in order to misdirect the software into misbehaving (e.g. skipping a security check or trusting the wrong block of input data) and causes unauthorized behavior.
A heap buffer overflow means requesting a block of memory, but writing more data than is safe.
This overflows the officially allocated buffer and overwrites data in the next block of memory, even though that memory may already be in use by another part of the program.
Buffer overflows therefore generally produce side effects similar to use-after-free bugs: more often than not, the vulnerable program will crash; sometimes, however, the program may be tricked into executing untrusted code without warning.
The zero day hole
The Zero Day Bug CVE-2022-2856 is presented without more details than what you see above: “Insufficient validation of untrusted inputs in intents.”
A Chromium Intention is a mechanism for triggering applications directly from a web page, in which data from the web page is fed into an external application launched to process that data.
Google has not provided any details about which apps or what type of data could be maliciously manipulated by this bug…
…but the danger seems rather obvious if the known exploit is to silently feed a local application with the kind of risky data that would normally be blocked for security reasons.
What to do?
Chrome will likely update, but we still recommend checking anyway.
On Windows and Mac, use After > To help > About Google Chrome > Update Google Chrome.
There is a separate release bulletin for Chrome for iOS, which goes to version 104.0.5112.99but no report yet [2022-08-17T12:00Z] which mentions Chrome for Android.
On iOS, make sure your App Store apps are up to date. (Use the App Store app itself to do this.)
You can monitor any upcoming Android update announcements on the Google Chrome Releases blog.
The open-source Chromium variant of the proprietary Chrome browser is also currently in release 104.0.5112.101.
Microsoft Edge security notes, however, currently [2022-08-17T12:00Z] say:
August 16, 2022
Microsoft is aware of the recent exploit existing in the wild. We are actively working on releasing a security patch as reported by the Chromium team.
You can keep an eye out for an Edge update on Microsoft’s official Edge Security Updates page.