Indian government warns Google Chrome users of severe security threats
If you're a user of Google Chrome, beware, says the Computer Emergency Response Team (CERT-In) under the Ministry of Electronics and Information Technology (MeitY). Multiple high-severity vulnerabilities capable of being exploited by remote attackers have been reported by CERT-In. If you're running an old version of Chrome, it is recommended by the agency that you update it to the latest version.
Why does this story matter?
Arbitrary code execution and bypass security restrictions have become quite common these days. Earlier this week, Apple had released some updates for iPhone, iPad, and MacBook for the same reason. Such high-severity vulnerabilities in some of the most used devices and software are no joke. The pertinent question here is how do these tech giants miss such vulnerabilities in their software.
Remote attackers can execute arbitrary code and bypass security restrictions
CERT-In has warned Google Chrome users that multiple vulnerabilities of high severity could allow remote attackers to execute an arbitrary code and bypass the security restriction of a targeted system. The agency reported 10 CVEs (Common Vulnerabilities and Exposures). Of them, CVE-2022-2856 is being "exploited in the wild," said the advisory. The reported vulnerabilities only affect Google Chrome for desktop.
Hackers can exploit the vulnerability by sending a special request
The vulnerabilities in Google Chrome are due to "use after free in FedCM, SwiftShader, ANGLE, Blink, Sign-in Flow, Chrome OS Shell; Heap buffer overflow in downloads, insufficient validation of untrusted input in intents, insufficient policy enforcement in Cookies and inappropriate implementation in extensions API," said the advisory. These issues can be exploited by sending a specially crafted request to the targeted device.
Google Chrome versions prior to 104.0.5112.101 are affected
According to CERT-In, not all Google Chrome users are affected by the vulnerabilities. Only those who are using Chrome versions prior to 104.0.5112.101 are affected. The agency asked users to update to the latest version of Google Chrome. To tackle CVE-2022-2856 which is being exploited the most, the advisory asked users to "apply patches urgently."
