Google Chrome Update Takes Down Bug Used to Attack Users which is great. Google’s recent update has patched a high-severity vulnerability for the desktop version of its chrome web browser.
Google Chrome Update Takes Down Bug Used to Attack Users
The flaw tracked a CVE-2022-2856, which is being actively exploited in the wild, the company says, which is why it is paramount that the users patch their endpoints starting immediately.
As is common, Google does not want to say much concerning the flaw, until the majority of Chrome instances have been patched. What it stated actually was, it is that this is an improper input validation bug, further described as “insufficient validation of untrusted input in Intents.”
This fix arrived as a part of a larger update, that covers a total of about 11 vulnerabilities. Besides CVE-2022-2856, all these flaws were fixed by Google:
- CVE-2022-2852 (critical): Use after free in FedCM
- CVE-2022-2854 (high): Use after free in SwiftShader
- CVE-2022-2855 (high): Use after free in ANGLE
- CVE-2022-2857 (high): Use after free in Blink
- CVE-2022-2858 (high): Use after free in Sign-In Flow.
- CVE-2022-2853 (high): Heap buffer overflow in Downloads
- CVE-2022-2859 (medium): Use after free in Chrome OS Shell
- CVE-2022-2860 (medium): Insufficient policy enforcement in Cookies
- CVE-2022-2861 (medium): Inappropriate implementation in Extensions API
Based on reports, it was stated that Google paid out a minimum of at least $29,000 to bounty hunters who found and made these vulnerabilities known. The highest payment made was about $7000, and it went to researchers who discovered the CVE-2022-2854 and CVE-2022-2855. As of last year, the company decided to pay out almost $9 million for several bug disclosures.
Google Chrome Fix
As the world’s top web browser, Chrome happens to be the biggest target, with tons of threats actors racing to get new zero-day vulnerabilities. Not so long ago, Google fixed one such vulnerability for the windows version, that was allegedly being exploited in the wild.
The high-severity bug was tracked as CVE-2022-2294, which is a heap-based buffer overflow weakness.
Also Read: Gap Assessment – Gap Analysis Tools