Time for an update: Google fixes seven Chrome browser bugs, four of which are rated ‘high’ risk
Google has released updates for Chrome to fix seven security vulnerabilities – including four rated high risk – discovered in the browser used by millions of people around the world.
According to an alert from the United States Cybersecurity & Infrastructure Agency (CISA), attackers could exploit vulnerabilities in Google Chrome for Windows, Mac, and Linux “to take control of an affected system.”
CISA encourages users to update to the latest version of Google Chrome – 102.0.5005.115 – to prevent exploitation of security vulnerabilities.
SEE: A winning strategy for cybersecurity (ZDNet special report)
Other high-risk vulnerabilities in Google Chrome that the security update fixes are CVE-2022-2010, Out-of-Bounds Read Vulnerability in Chrome’s Compositing Component and CVE-2022-2011, UAF Vulnerability in ANGLE , an open source, cross-platform graphics engine abstraction layer used in the Chrome backend.
Full details on how attackers can exploit high-risk vulnerabilities have yet to be disclosed, in accordance with Google’s policy of waiting for most users to apply updates before revealing more.
“Access to bug details and links may be restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that others projects are similarly dependent, but have not yet been fixed,” Google’s blog post on the Chrome release said.
CVE-2022-2010 was discovered by Google’s Project Zero research team, while the others were discovered by independent security researchers. Security researcher David Manouchehri received a $10,000 bug bounty for leaking CVE-2022-2007. Bug bounties for researchers who discovered CVE-2022-2008 and CVE-2022-2011 have yet to be determined.
“We also want to thank all the security researchers who worked with us during the development cycle to prevent security bugs from reaching the stable channel,” Google said.