Google issues warning to millions of Chrome users
Chrome users, you need to be vigilant. Google has issued a new warning to its nearly three billion Chrome users worldwide confirming new “high” level attacks on its browser. This is what you need to know to stay safe.
Google announced the news in an official blog post, revealing that a total of 28 successful Chrome hacks have been discovered, nine of which are considered “high” level threats. The 28 attacks affect Chrome on all major platforms: Windows, Mac and Linux.
What are the new Chrome hacks?
To protect users and give them time to upgrade, Google currently restricts information about new exploits. Therefore, Google only provided broad categories of locations where successful attacks were carried out:
- High – CVE-2022-0789: Heap buffer overflow in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-01-21
- High – CVE-2022-0790: Use after release in Cast UI. Posted by Anonymous on 2021-11-26
- High – CVE-2022-0791: use after free in Omnibox. Reported by Zhihua Yao of KunLun Lab on 2021-12-09
- High – CVE-2022-0792: Reading out of bounds in ANGLE. Reported by Jaehun Jeong(@n3sk) from Theori on 01/11/2022
- High – CVE-2022-0793: use after release in views. Reported by Thomas Orlita on 2022-01-28
- High – CVE-2022-0794: use after free in WebShare. Reported by Khalil Zhani on 2022-02-04
- High – CVE-2022-0795: Type confusion in blinking layout. Reported by 0x74960 on 2021-12-27
- High – CVE-2022-0796: post-release usage in media. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. ltd. on 2022-02-10
- High – CVE-2022-0797: Memory access out of bounds in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-12-21
Continuing a long-established pattern, hackers get the most fun with “Use-After-Free” (UAF) exploits. The five successful high profile attacks here bring the total number of Chrome UAF hacks to 31 since the start of 2022. UAF vulnerabilities are memory exploits created when a program fails to clear the pointer to memory after it is freed .
Interestingly, there is only one high level buffer overflow attack. This was the second most important avenue of attack. Also known as “Heap Smashing”, heap memory is dynamically allocated and usually contains program data. With an overflow, critical data structures can be overwritten, making it an ideal target for hackers.
The good news in the latest hacks is that there are no Zero-Day vulnerabilities. Zero-day attacks occur when hackers create a successful exploit before the business can respond and are the most dangerous type of security exploit. In this case, Google found fixes before they became public knowledge, but Chrome users still need to act quickly.
Update Chrome – What you need to do
To combat new threats, Google announced Chrome 99.0.4844.51. Google says the release “will be rolling out over the next few days/weeks” so not everyone can protect themselves immediately.
To check if your browser is protected, go to Settings > Help > About Google Chrome and check if your browser version is listed as 99.0.4844.51 or higher. If the update is not yet available for your browser, check back regularly.
Critical step: after the update, Chrome must be restarted for the fixes to take effect. With 3.2 billion Chrome users worldwide, even a small number of users forgetting this step can leave millions of systems vulnerable and a prime target for hackers. Go update, right now.
___
Follow Gordon on Facebook
Learn more about Forbes
Google Confirms First Zero-Day Chrome Browser Hack of 2022
Google Scraps Flawed Chrome Browser’s New Tracking System