Google has released an update for its Chrome browser that includes eleven security fixes, one of which has been reportedly exploited in the wild.
The vulnerability that is reported as being exploited in the wild has been assigned CVE-2022-0609.
The vulnerability is described as a Use-after-free (UAF) vulnerability in the Animation component. UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. In this case, when the vulnerability is exploited, this can lead to corruption of valid data and the execution of arbitrary code on affected systems.
As a result, a remote attacker can create a specially crafted web page, trick the victim into visiting it, trigger the UAF vulnerability and execute arbitrary code on the target system.
The researchers who found and reported the flaw are Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group (TAG). As usual, Google hasn’t gone into any more detail about the bug. Access to bug details and links are usually restricted until the majority of users are updated with a fix.
Other vulnerabilities that have been discovered by external researchers are;
- CVE-2022-0603: Use after free in File Manager.
- CVE-2022-0604: Heap buffer overflow in Tab Groups.
- CVE-2022-0605: Use after free in Webstore API.
- CVE-2022-0606: Use after free in ANGLE.
- CVE-2022-0607: Use after free in GPU.
- CVE-2022-0608: Integer overflow in Mojo.
- CVE-2022-0610: Inappropriate implementation in Gamepad API.
How to protect yourself
The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But you can end up lagging behind if you never close the browser or if something goes wrong, such as an extension stopping you from updating the browser.
So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerability. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.
If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.
After the update the version should be 98.0.4758.102. Since Animations is a Chromium component, users of other Chromium based browsers may see a similar update.
Stay safe, everyone!