Google, Apple squash exploitable browser bugs • The Register
Google has released 11 security patches for the Chrome desktop, including a bug that has an exploit for it in the wild.
This high-severity vulnerability, identified as CVE-2022-2856, is a bad input validation bug, and as usual, Google won’t release many details about it until most Chrome users are aware. not updated and the code is not corrected.
In an advisory, the internet giant described the flaw as “insufficient validation of untrusted inputs in the intents” and noted that it “is aware that an exploit for CVE-2022-2856 exists in the wild “.
Chrome Intents can be used to launch apps from web pages and pass data to those apps.
Sophos security researchers note that Google has not provided any details on how this feature can be manipulated to compromise a user’s device. “The danger seems rather obvious if the known exploit is to silently feed a local application with the kind of risky data that would normally be blocked for security reasons,” added Paul Ducklin of Sophos.
Googlers Ashley Shen and Christian Resell, both members of the Threat Analysis Group, reported the vulnerability on July 19.
This is the fifth Chrome bug fixed by Google this year that has been exploited or contains exploit code in the wild.
Although Google is not aware of any exploits for the remaining bugs on today’s list, one received a critical severity rating and five others were rated as high severity.
The Center for Internet Security, which rated the risk of these Chrome vulnerabilities as “high” for large and medium-sized government agencies and businesses, and “medium” for small governments and businesses, warned that the most serious of the bugs would allow an attacker to execute malicious code “in the context of the logged-in user”.
“Depending on the privileges associated with the user, an attacker could then install programs; view, modify, or delete data; or create new accounts with full user rights,” CIS explained in a security advisory. “Users whose accounts are configured to have fewer system user rights may be less impacted than those operating with administrative user rights.”
In addition to the bug under active exploit, Google detailed nine of the 11 bugs in its update (104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows). These are:
- CVE-2022-2852 (critical): use after release in FedCM
- CVE-2022-2854 (high): use after free in SwiftShader
- CVE-2022-2855 (high): use after free in ANGLE
- CVE-2022-2857 (high): use after free in Blink
- CVE-2022-2858 (high): Use after free in login flow.
- CVE-2022-2853 (high): buffer overflow in downloads
- CVE-2022-2859 (medium): free use in Chrome OS Shell
- CVE-2022-2860 (medium): insufficient policy enforcement in cookies
- CVE-2022-2861 (medium): Inappropriate implementation in Extensions API
The Chrome Vulnerability Reward Program has paid out at least $29,000 to bug hunters who discovered and reported these flaws.
This included two $7,000 bounties paid to Cassidy Kim of Amber Security Lab for CVE-2022-2854 and CVE-2022-2855; a $5,000 reward to an anonymous person for CVE-2022-2857; another $5,000 to raven at KunLun lab for CVE-2022-2858; $3,000 to Nan Wang and Guang Gong of 360 Alpha Lab for CVE-2022-2859; and $2,000 to Axel Chong for CVE-2022-2860.
In total, Google paid out $8.7 million in rewards to nearly 700 searchers across its various VPRs last year. ®
Speaking of patches… We just saw that Apple has released macOS 12.5.1, iOS 15.6.1 and iPadOS 15.6.1 updates to fix a kernel flaw (CVE-2022-32894) that can be exploited by an app to get full control of the Mac or device, and a flaw in WebKit (CVE-2022-32893) that can be exploited to execute arbitrary code.
Someone could thus combine the exploitation of the two flaws so that when a victim opens a booby-trapped web page in a WebKit browser, such as Safari, the page could start executing arbitrary code to exploit the elevation of privilege flaw. in order to hijack the computer or iThing, and install spyware and other nasties.
And indeed, Apple said it “is aware of a report that this issue may have been actively exploited”, so fix it ASAP!