White Hat Institute

Chrome users should be extremely cautious

chrome google

Users using Google Chrome should be extremely cautious. Google has already approved the very first significant new upgrade warning of 2022 to all of the browser’s two billion users, following a record-breaking number of threats last year.

In a subsequent blog post, Google verified the story, revealing that 37 security flaws had been uncovered. Ten of these flaws have been rated as providing a ‘High’ risk rating by Google, with one hack rated as critically harmful. Users using Linux, macOS, and Windows are all vulnerable and must take action immediately.

Google is presently withholding information on all new threats in order to give Chrome users more time, but it has highlighted the areas where these top threats are focusing their efforts:

  • CVE-2022–0096: Use after free in Storage is a critical vulnerability. Yangkang (@dnpushme) of 360 ATA reported this on 2021–11–30.
    High — CVE-2022–0097: Inappropriate DevTools implementation. David Erceg reported it on the 17th of August, 2020.
  • High — CVE-2022–0098: In Screen Capture, use after free. @ginggilBesel reported this on 2021–11–24.
  • High — CVE-2022–0099: Use after signing up for free. Rox reported this on 2021–09–01.
  • High — Heap buffer overflow in the Media streams API (CVE-2022–0100). Cassidy Kim of the Amber Security Lab at OPPO Mobile Telecommunications Corp. Ltd. reported this on 2021–08–10.
  • High — CVE-2022–0101: Bookmarks heap buffer overflow. On 2021–09–14, raven (@raid akame) reported it.
  • CVE-2022–0102: Type Confusion in V8 is a high-risk vulnerability. Brendon Tiszka reported it on the 14th of October, 2021.
  • High — CVE-2022–0103: In SwiftShader, use after free. Abraruddin Khan and Omair reported it on 2021–11–21.
  • CVE-2022–0104: Heap buffer overflow in ANGLE is a high-risk vulnerability. Abraruddin Khan and Omair reported on 2021–11–25.
  • High — CVE-2022–0105: Use in PDF after it’s free. Cassidy Kim of the Amber Security Lab at OPPO Mobile Telecommunications Corp. Ltd. reported this on 2021–11–28.
  • High — CVE-2022–0106: In Autofill, use after free. Khalil Zhani reported it on December 10, 2021.

 

Despite the fact that it is a new year, these attacks follow a predictable sequence. Over several months, ‘Use-After-Free’ (UAF) vulnerabilities have been the preferred method of attack on Chrome, and they now account for the bulk of attacks. Since September, around 50 UAF flaws have been discovered in Chrome. Memory exploitation known as UAF is formed when the software fails to delete the pointer to the memory after it has been released.

Heap buffer overflow issues are still a prominent attack vector. The heap, sometimes known as ‘Heap Smashing,’ is loaded into memory space that generally houses computer data. Important data formats can be altered by an overflow, making it a perfect target for hackers.

Possible remediations:

Google has issued Chrome 97, a significant new update of Chrome, to all users in response to these challenges. This update (precise version number 97.0.4692.71) “will roll out over the coming days/weeks,” according to Google. This indicates that you might not be able to defend yourself right away.

To see whether you are secured, go to Settings > Help > About Google Chrome. You are protected if your Chrome browser has a version number of 97.0.4692.71 or higher. If the latest version for your browser is not yet available, it is critical that you search for it on a frequent basis. Also, note that you must reboot your browser after updating because you will not be secured unless you do so. Many users overlook this.