The latest Google Chrome update includes 11 security fixes, some of which could be exploited by an attacker to take control of an affected system. Google Chrome’s Stable channel has been updated to 103.0.5060.134 for Windows, Mac, and Linux, and the new version will roll out over the coming days/weeks.
Of the 11 security fixes five are use-after-free issues, including four that are marked with a severity of “high.” Use after free (UAF) vulnerabilities occur because of the incorrect use of dynamic memory during a program’s operation.
The high-severity use-after-free vulnerabilities resolved with the latest Chrome update are:
- CVE-2022-2477 is a use-after-free vulnerability in Guest View that could allow arbitrary code execution following interaction by the victim.
- CVE-2022-2478 is a use-after-free vulnerability in Chrome’s PDF handling code. Not many details are available but the attacker needs the victim to engage in some kind of user interaction to exploit this vulnerability.
- CVE-2022-2479 is caused by insufficient validation of untrusted input in File. No further details were given but successful exploitation requires user interaction by the victim.
- CVE-2022-2481 is a use-after-free vulnerability in Views. The Chrome user interface is constructed of a tree of components called Views. These Views are responsible for rendering, layout, and event handling.
Threat actors have leveraged Chrome over the last few years to deploy malware, including ransomware payloads. These types of bugs can be leveraged in various ways; in previous campaigns, we observed nation-state actors operating out of the DPRK utilizing watering holes or otherwise fraudulent websites to lure unsuspecting victims into downloading and installing tainting Microsoft Visual Basic files containing malware. Once a user downloaded and interacted with the file, an attacker could execute arbitrary code and commands on underlying or host operating systems, bypassing the browser's built-in sandboxing security feature.
If you’re a Chrome user on Windows, Mac, or Linux, you should update as soon as possible. Android users will also find an update waiting.
The easiest way to update Chrome is to allow it to update automatically, which basically uses the same method as outlined below but does not require your attention. But beware, you can end up lagging behind if you never close the browser or if something goes wrong—such as an extension that stops you from updating the browser.
It doesn’t hurt to check for updates now and then. And now would be a good time, given the severity of the vulnerabilities in this batch. My preferred method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.
If there is an update available, Chrome will notify you and even start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.