Google Chrome update squashes bug used to attack users

Google has patched a high-severity vulnerability for the desktop version of its Chrome browser.

The flaw, tracked as CVE-2022-2856, is being actively exploited in the wild, the company says, which is why it’s paramount that users patch their endpoints immediately. 

As is common, Google doesn’t want to say much about the flaw, until the majority of Chrome instances have been patched. What it did say, though, is that this is an improper input validation bug, further described as “insufficient validation of untrusted input in Intents.”

Patching up holes

The fix came as part of a larger update, covering a total of 11 vulnerabilities. Besides CVE-2022-2856, Google fixed these flaws, as well:

  • CVE-2022-2852 (critical): Use after free in FedCM
  • CVE-2022-2854 (high): Use after free in SwiftShader
  • CVE-2022-2855 (high): Use after free in ANGLE
  • CVE-2022-2857 (high): Use after free in Blink
  • CVE-2022-2858 (high): Use after free in Sign-In Flow.
  • CVE-2022-2853 (high): Heap buffer overflow in Downloads
  • CVE-2022-2859 (medium): Use after free in Chrome OS Shell
  • CVE-2022-2860 (medium): Insufficient policy enforcement in Cookies
  • CVE-2022-2861 (medium): Inappropriate implementation in Extensions API

As per a report on The Register, Google paid out at least $29,000 to bounty hunters who found and disclosed these vulnerabilities. The highest payout, of $7,000, went to researchers who found CVE-2022-2854 and CVE-2022-2855. Last year, the company paid out almost $9 million for numerous bug disclosures.

Being the world’s number one browser, Chrome is also the biggest target, with countless threat actors racing to find new zero-day vulnerabilities. Less than two months ago, Google fixed one such vulnerability for the Windows version, that was allegedly being exploited in the wild.

The high-severity bug, tracked as CVE-2022-2294, is a heap-based buffer overflow weakness.

Via: The Register