Google has confirmed a whole new group of alarmingly serious security vulnerabilities in Chrome 92, just two weeks after fixing the latest batch of vulnerabilities. These new security threats mean that “an attacker could exploit to gain control of an affected system,” the US Cybersecurity and Infrastructure Security Agency (CISA) said.
Indeed, the CISA, an autonomous federal agency under the oversight of the US Department of Homeland Security (DHS), encourages both users and administrators to “apply the necessary updates. “Here’s what Google Chrome users need to know.
What do we know about these serious Google Chrome security holes?
An update for the desktop version of Google Chrome will be rolling out to all Windows, Mac, and Linux users over the next few days and weeks. In a blog post dated August 16, Google Chrome technical program manager Srinivas Sista confirmed that of the nine security updates fixed in this update, seven with a high rating were discovered by researchers outside of Google.
One of those hackers was Manfred Paul, who was responsible for discovering two high severity vulnerabilities: CVE-2021-30598 and CVE-2021-30599. Talk to Safety weekPaul, who received a bounty of $ 21,000 for each flaw, confirmed that even if an attacker could use them to obtain arbitrary code execution, he would have to exploit another vulnerability “to escape the Chrome sandbox” . It may sound like a non-event, but in reality it is not.
Only a few weeks ago, such a flaw escaping from the sandbox in Chrome has been corrected by Google.
If you’ve ever needed confirmation that hacking isn’t a crime, these bug bounty hackers provide it. So, let’s stop calling those law-breaking people hackers and use the right terminology instead: criminals. Either way, with that very short rant over, here’s what is known about the security holes these hackers, security researchers outside of Google, were able to find.
It is not at all surprising that very little is known, as specific details of each vulnerability are not disclosed at this time. This is to prevent criminal exploitation before as many users can apply update 92.0.4515.159 as possible.
The seven high severity security vulnerabilities have been confirmed to have the following Common Vulnerability and Exposure (CVE) identification numbers and identification details:
- CVE-2021-30598 is a ‘type confusion in V8’ vulnerability that earned a bounty of £ 21,000.
- Another ‘type confusion in V8’ vulnerability is CVE-2021-30599 which also earned a bounty of £ 21,000.
- CVE-2021-30600 is a ‘use after use free in print’ vulnerability that earned a bounty of £ 20,000.
- CVE-2021-30601 is a ‘use after free use in Extensions API’ vulnerability that also earned a bounty of £ 20,000.
- CVE-2021-30602 is a “use after free in WebRTC” vulnerability, and the premium has not yet been determined.
- CVE-2021-30603 is a ‘race in WebAudio’ vulnerability, and a bug bounty was not applicable in this case.
- CVE-2021-30604 is a “use after free in ANGLE” vulnerability, and the premium has not yet been determined.
Are any of these Chrome security vulnerabilities already being exploited?
Sorry to disappoint; once again the answer must be a little vague. To the best of my knowledge, and after asking questions around the cybersecurity community, there is no evidence of exploitation in the nature of any of these vulnerabilities. However, this shouldn’t be seen as a no-release card, as it arguably won’t take long for the exploits to emerge as more details come. All the more reason not to wait and apply the security update as soon as possible.
The point of view of the software development security expert
While he advises that all organizations would do well to have such an SLDC in place, regardless of their size, Wright doesn’t think these latest findings are necessarily a bad thing. “On the positive side, these results show the value of public bug bounty programs,” says Wright. “It is really encouraging to see the problems detected by researchers, disclosed by ethical means and resolved with sufficient speed and efficiency to prevent malicious exploitation in the wild,” he concludes.
How to update your Google Chrome browser
While Google has said that the Desktop Chrome update will begin rolling out to all users in the coming days and weeks, there’s no real excuse to just sit back and not be proactive here. Yes, automatic updates are great and I don’t recommend turning them off; something I know some Windows 10 users have done to prevent their 50 open tabs from automatically closing. No, I’m not going to tell you how to do it, but I will tell you how to get the update faster with just a few clicks.
Click a: go to Help | About Google Chrome in the three-dot menu. Just checking your browser version will start the update process.
Double click: once the update has downloaded, restart your browser for the protection to start working.
Click three: you can see you are using the updated version by going back to the same setting once more.