You Need to Update Chrome Again
If you recently updated Google Chrome to version 104 , you may be surprised to know that another update is already available for your browser. After all, the latest update fixed 27 security vulnerabilities: what’s left to update? Not much, apparently, including a new security vulnerability that hackers already know how to exploit.
Google announced the update in a Chrome Releases blog post on Tuesday, August 16th. This is a new version of Chrome – 104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows – and is now available on all platforms.
The patch includes fixes for 11 security vulnerabilities, one of which is marked as critical, six are marked as high, and three are marked as medium. However, the real story concerns one of the high-severity vulnerabilities, designated CVE-2022-2856: Google has confirmed that an exploit for this vulnerability exists in the wild, making it a zero-day vulnerability.
Zero days are dangerous. While most security vulnerabilities are never exploited before a patch is released, some are. When someone manages to not only discover a vulnerability in software but also figure out how to use it against others, that vulnerability becomes day zero – CVE-2022-2856 is one such vulnerability.
The downside is related to “insufficient validation of untrusted input in intents”. According to Bleeping Computer , this type of vulnerability can lead to issues such as “buffer overflows, directory traversal, SQL injection, cross-site scripting, null byte injection, and more.” This is a long list of consequences that can compromise your system, and since an exploit exists in the wild, updating Chrome should be a priority.
However, it’s not just this zero day that should convince you to upgrade: the other 10 issues are still important to fix as their identities are now known. Hackers can still find ways to exploit these vulnerabilities, so it’s important to upgrade to protect yourself across the board.
You can view all 11 vulnerabilities fixed in this update below, including who discovered the vulnerabilities and the bounty they received for doing so:
- [$NA][ 1349322 ] Critical CVE-2022-2852: Use after FedCM release. This was reported by Sergey Glazunov from Google Project Zero on August 02, 2022.
- [$7000][ 1337538 ] High CVE-2022-2854: use after free trial in SwiftShader. This was announced by Cassidy Kim from Amber Security Lab, OPPO Mobile Telecommunication Corp. Ltd. June 18, 2022
- [$7000][ 1345042 ] High CVE-2022-2855: use after free use in ANGLE. This was announced by Cassidy Kim from Amber Security Lab, OPPO Mobile Telecommunication Corp. Ltd., July 16, 2022
- [$5000][ 1338135 ] High CVE-2022-2857: use after free trial in Blink. Reported by Anonymous on June 21, 2022.
- [$5000][ 1341918 ] High CVE-2022-2858: use after free login. This was reported by a raven from the KunLun laboratory on July 05, 2022.
- [$NA][ 1350097 ] High CVE-2022-2853: Load heap buffer overflow. This was reported by Sergey Glazunov from Google Project Zero on August 4, 2022.
- [$NA][ 1345630 ] High CVE-2022-2856: insufficient validation of untrusted inputs in intents. Ashley Shen and Christian Resell of Google Threat Analysis Group reported this on July 19, 2022.
- [$3000][ 1338412 ] Medium CVE-2022-2859: use after free use in Chrome OS Shell. Reported by Nan Wang (@eternalsakura13) and Guang Gong of 360 Alpha Lab on June 22, 2022.
- [$2000][ 1345193 ] Medium CVE-2022-2860: Insufficient policy enforcement in cookies. Reported by Axel Chong on July 18, 2022.
- [$TBD][ 1346236 ] Medium CVE-2022-2861: Invalid implementation in Extensions API. Reported by Rong Jian of VRI on July 21, 2022.
- [ 1353442 ] Various fixes for internal audits, fuzzing and other initiatives
How to update google chrome
Whether you’re on Mac, Windows, or Linux, you can quickly update Chrome to fix not only this zero-day vulnerability, but 10 other flaws as well. Click on the three dots in the top right corner of the browser window, then select Help > About Google Chrome . Let Chrome search for a new update. If it’s available, you’ll be able to click Restart to install it.
If you have automatic updates turned on, you can simply wait for Chrome to install the update on its own. However, this can take several weeks – the fastest way to secure your browser is to update Chrome yourself.
[ beeping computer ]