Google last week reported seven vulnerabilities in the browser, four of which it rated as high severity.

3 Min Read
Chrome logo on computer screen
Source: Evan Lorne via Shutterstock

The US Cybersecurity and Infrastructure Agency (CISA) Friday urged users and administrators to update to a new version of Chrome that Google released last week to fix a total of seven vulnerabilities in its browser.

In an advisory, Google described four of the flaws — three of which were reported to the company by external researchers — as presenting a high risk for organizations. The company said it had decided to restrict access to bug details until most users have updated to the new version of Chrome (102.0.5005.115).

One of the vulnerabilities is a so-called use after free issue in the WebGPU application programming interface for functions such as computation and rendering on a Graphics Processing Unit. The bug (CVE-2022-2007) is remotely exploitable and can have an impact on the confidentiality, integrity, and availability of affected systems, according to a description of the flaw on vulnerability database VulDB. "No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction," VulDB noted.

Google awarded $10,000 to the security researcher who reported the flaw to the company in May. VulDB estimated the price for an exploit for the flaw to be between $5,000 and $25,000 currently, though that could go up soon, it noted.

The second flaw is an out-of-bounds memory access use in the WebGL API for rendering 2D and 3D graphics. Two researchers from Vietnamese firm VinCSS Internet Security Services reported the bug (CVE-2022-2008) in April. VulDB described the flaw as being remotely exploitable but requiring at least some user interaction by the victim. The flaw appears to be easily exploitable and requires no authentication, VulDB said. Google's advisory noted the reward for disclosing the vulnerability had yet to be determined.

The third high-severity vulnerability that the new Chrome version addresses (CVE-2022-2010) is an out-of-bound read issue in compositing or in rendering Web page content. A security researcher with Google's own Project Zero bug hunting team discovered the vulnerability in May. Like the other two flaws, this one also affects the confidentiality, integrity, and availability of affected systems, VulDB said.

The fourth high severity vulnerability that Google disclosed is a use-after-free issue that an external security researcher reported to the company in May. The flaw (CVE-2022-2011) exists in ANGLE, a function that Google describes as an "almost native Graphics Layer engine" in Chrome. The memory corruption vulnerability has a near identical impact as the other three, based on VulDB's description of the issue.

CISA: Flaws Allow Attackers to Take Control of Affected Systems

CISA urged organizations to review Google's Chrome release note and apply the update to mitigate risk. "Google has released Chrome version 102.0.5005.115 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system," it said.

The seven flaws that Google addressed with its latest Chrome version is considerably smaller in number than some other recent Chrome-related bug disclosures from the company. A Chrome update that Google released on May 24 included fixes for 32 flaws, one of which was rated as being of critical severity while seven others were rated as being highly critical. Another update, also in May, contained fixes for 13 flaws, eight of which the company rated as being of high severity.

About the Author(s)

Jai Vijayan, Contributing Writer

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights