Chrome users beware, less than two weeks after I reported a critical attack on Google’s browser, numerous new hacks have been confirmed.
Google disclosed the vulnerabilities in a new blog post, where it confirmed 27 exploits have been discovered in Chrome. Of these, Google warns that eight are classified as posing a ‘High’ threat level. Users of Windows, Mac and Linux operating systems are all affected.
In order to buy time for Chrome users to upgrade, Google is currently restricting information about these threats but it has revealed the areas within the browser that the new hacks are exploiting. I have listed the high-level attacks below:
- High – CVE-2022-0452: Use after free in Safe Browsing. Reported by avaue at S.S.L. on 2022-01-05
- High – CVE-2022-0453: Use after free in Reader Mode. Reported by Rong Jian of VRI on 2022-01-06
- High – CVE-2022-0454: Heap buffer overflow in ANGLE. Reported by Seong-Hwan Park (SeHwa) of SecunologyLab on 2022-01-17
- High – CVE-2022-0455: Inappropriate implementation in Full Screen Mode. Reported by Irvan Kurniawan (sourc7) on 2021-11-16
- High – CVE-2022-0456: Use after free in Web Search. Reported by Zhihua Yao of KunLun Lab on 2022-01-21
- High – CVE-2022-0457: Type Confusion in V8. Reported by rax of the Group0x58 on 2021-11-29
- High – CVE-2022-0458: Use after free in Thumbnail Tab Strip. Reported by Leecraso and Guang Gong of 360 Alpha Lab on 2021-11-05
- High – CVE-2022-0459: Use after free in Screen Capture. Reported by raven (@raid_akame) on 2021-08-28
MORE FOR YOU
The big takeaway here is that ‘Use-After-Free’ (UAF) exploits not only continue to be the dominant method of attack by hackers, but their popularity is growing. Five of the eight high-rated Chrome attacks use this method, bringing the total number of successful high/critical-rated UAF Chrome hacks to 21 since the start of the year.
UAF vulnerabilities are memory exploits created when a program fails to clear the pointer to the memory after it is freed.
Right behind UAF are Heap buffer overflow attacks. Also known as ‘Heap Smashing’, memory on the heap is dynamically allocated and typically contains program. Chrome V8 exploits have also been rife over the last year. V8 is an open-source JavaScript engine which is used by Google Chrome and Chromium-based web browsers like Microsoft Edge, Opera, Amazon Silk, Brave, Yandex and Vivaldi.
What You Need To Do
In response to these hacks, Google has announced Chrome 98 (specifically 98.0.4758.80/81/82 for Windows and 98.0.4758.80 for Mac and Linux). Google warns that the release “will roll out over the coming days/weeks”, so you may not be able to protect yourself immediately.
To see if Chrome 98 has rolled out to your computer, go to Settings > Help > About Google Chrome. If your Chrome browser is listed as 98.0.4758.80 or higher, you are protected. If the update is not installed or listed as being available for your browser, check regularly and do not take risks with your browsing.
When you do update, remember Chrome must be restarted for the fix to take effect. Chrome is now used by 3 billion users worldwide on desktop and mobile making it a huge target for hackers and they can find easy targets among users who fail to complete that crucial final step. Don’t be one of them.
___
Follow Gordon on Facebook
More On Forbes
Google Scraps Flawed New Chrome Browser Tracking System
Google Chrome 100 Release Could Cause Problems For Older Websites