Google has released security fixes for the desktop Chrome app on Windows, Linux, and Mac. This consists of Ten vulnerabilities that include one Zero-day vulnerability with High severity. This is the fifth Zero-day vulnerability fixed by Google this year and is assigned with CVE-2022-2856.
Most of the vulnerabilities in the advisory released on August 16th address a Use after free vulnerability sharing critical and high severity in various components such as FedCM, SwiftShader, ANGLE, Blink, Chrome OS Shell and Sign-In Flow. Google recommends Chrome browser users patch their applications immediately by installing the latest version.
CVE-2022-2856: Intent is not validated properly for untrusted input
Google Chrome’s Intents is the vulnerable component. It is a mechanism for triggering apps directly from a web page, in which data on the web page is fed into an external app launched to process that data. This bug was reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19.
The tech giant has refrained from sharing additional specifics about the exploit until most of the users are updated. “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” it added in the advisory.
Successful exploitation of this bug leads to silent feeding of the local app with the sort of risky data that would typically be blocked on security grounds.
As listed below, seven of these bugs are Use After Free caused by memory mismanagement, which is a flaw associated with improper use of dynamic memory while a program is running.
If the program fails to remove the pointer assigned to a dynamic memory region after releasing it, an attacker can use this error to compromise the program. This may result in arbitrary code execution, data corruption, or program failures.
- CVE-2022-2852: Use after free in FedCM
- CVE-2022-2854: Use after free in SwiftShader
- CVE-2022-2855: Use after free in ANGLE
- CVE-2022-2857: Use after free in Blink
- CVE-2022-2858: Use after free in Sign-In Flow
- CVE-2022-2859: Use after free in Chrome OS Shell
- CVE-2022-2853: Heap buffer overflow in Downloads
- CVE-2022-2860: Insufficient policy enforcement in Cookies
- CVE-2022-2861: Inappropriate implementation in Extensions API
Google Chrome version before 104.0.5112.101.
Google has released Chrome version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows to address this issue.
SanerNow detects these vulnerabilities and automatically fixes them through patch management by applying security updates. We strongly recommend applying the security updates as soon as possible, following the instructions published in our support article.