Application Security , Governance & Risk Management , Incident & Breach Response
CERTs Urge Patching of Google Chrome, Android FlawsExploitation May Lead to DoS, Data Privacy Breach, RCE Attacks
Several global Computer Emergency Response Teams have issued alerts as well as fixes for Google Chrome browser and Android operating system vulnerabilities.
See Also: Cyberwarfare in the Russia-Ukraine War
Countries issuing the alerts include France, India and Canada.
Google Chrome Vulnerabilities
The Canadian Center for Cyber Security, in its advisory, says that all Chrome for desktop versions prior to 98.0.4758.80 are vulnerable to all flaws reported by the technology giant.
Google Chrome, in its Chrome release update, says that a total of 27 security fixes, including 10 high-, 14 medium- and 3 low-severity vulnerabilities, have been made. Of these, 19 vulnerabilities were disclosed by external security researchers, while the rest were found by internal researchers during "internal audits, fuzzing and other initiatives."
The vulnerabilities in Google Chrome browser and OS can be used by a threat actor to execute arbitrary code, according to CERT-In. These vulnerabilities exist due to the following conditions:
- CVE-2022-0452: Use after free in Safe Browsing;
- CVE-2022-0453: Use after free in Reader Mode;
- CVE-2022-0454:Heap buffer overflow in ANGLE;
- CVE-2022-0455: Inappropriate implementation in Full Screen Mode;
- CVE-2022-0456: Use after free in Web Search;
- CVE-2022-0457: Type Confusion in V8;
- CVE-2022-0458: Use after free in Thumbnail Tab Strip;
- CVE-2022-0459: Use after free in Screen Capture.
- CVE-2022-0460: Use after free in Window Dialog;
- CVE-2022-0461: Policy bypass in COOP;
- CVE-2022-0462: Inappropriate implementation in Scroll;
- CVE-2022-0463: Use after free in Accessibility;
- CVE-2022-0464: Use after free in Accessibility;
- CVE-2022-0465: Use after free in Extensions;
- CVE-2022-0466: Inappropriate implementation in Extensions Platform;
- CVE-2022-0467: Inappropriate implementation in Pointer Lock;
- CVE-2022-0468: Use after free in Payments;
- CVE-2022-0469: Use after free in Cast.
- CVE-2022-0470: Out of bounds memory access in V8.
The latest stable channel update of Chrome for desktop includes fixes for all operating systems and the following version numbers: Windows (98.0.4758.80/81/82), Mac and Linux (98.0.4758.80).
Google Chrome says that a complete roll-out for all OS versions will be completed in coming days.
A total of 37 vulnerabilities, ranging from critical to high severity, have been noted by Android in its latest security patch update. Successful exploitation of these vulnerabilities allows a threat actor to exfiltrate sensitive data, escalate privileges and cause a denial of servicecondition on the targeted system.
The vulnerabilities affect various frameworks and components of Android, including Framework, Media Framework, System, Google Play system updates, Amlogic, Mediatek, Unisoc, Qualcomm, and Qualcomm closed-source components. Android says that the vulnerabilities affect only versions 10, 11 and 12.
Of all the vulnerabilities, Android rates CVE-2021-39675 as the most critical one because it provides remote escalation of privileges and does so without any user interaction.
Android lists the vulnerabilities in the security patch update at two separate security patch levels, "so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly," it says. All partners, however, are encouraged to apply both security patch levels as soon as possible.
Immediate Action Required
"Consumers need to take immediate action when software suppliers provide fixes to issues that can be exploited without user intervention or have been classified as of high or critical importance," John Goodacre, director of U.K. Research and Innovation’s Digital Security by Design, tells ISMG.
"This is especially true as hackers may already be exploiting the issue and if not, the release of the patch can give hackers insight on how to exploit it," the professor of computer architectures at the University of Manchester says.
"Until our devices are built using future by-design security technologies, all users of software need to react to such updates at the earliest opportunity. We often hear about users delaying updates, for example in responding to the Log4j disclosure, and how they are still suffering from attacks. We surely don't want a repeat of that," Goodacre says.
Alan Calder, CEO of IT risk management solutions provider GRC International Group, says there is never a good reason to delay deploying patches. "There is only a risk calculation," he says, "that being: What is the benefit of delay versus what is the impact of being breached?"