Google Chrome update fixes major security flaws
Google has released a Chrome update that fixes major security vulnerabilities in the browser on smartphones and Windows, Mac, and Linux computers.
The tech giant said the update includes ten security fixes, with at least six vulnerabilities considered high severity. Google said the update would roll out over the coming weeks.
Google hasn’t provided specifics on the vulnerabilities and said it won’t until most users have updated their browsers. It recommends that users install the update as soon as it rolls out to their devices.
“We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” it said in a blog post.
The high-severity vulnerabilities are labelled as follows:
- CVE-2022-3885: Use after free in V8.
- CVE-2022-3886: Use after free in Speech Recognition.
- CVE-2022-3887: Use after free in Web Workers.
- CVE-2022-3888: Use after free in WebCodecs.
- CVE-2022-3889: Type confusion in V8.
- CVE-2022-3890: Heap buffer overflow in Crashpad.
Malicious actors could leverage the vulnerability to exploit heap corruption via a crafted HTML page.
The first two vulnerabilities — CVE-2022-3885 and CVE-2022-3886 — represent security flaws in Google’s open-source JavaScript engine known as V8 and Google Chrome’s Speech Recognition feature.
CVE-2022-3887 and CVE-2022-3888 relate to Google’s background script-running feature Web Workers and Chrome’s WebCodecs API, respectively.
The CVE-2022-3889 vulnerability provides the browser’s V8 engine with the wrong code, while the CVE-2022-3890 flaw could let attackers bypass Google’s sandbox security measures.
Google rewarded security researchers for disclosing the vulnerabilities, with one researcher getting $21,000 (R365,000) for their tip-off.