Sep 06 2022

Chrome and Edge fix zero-day security hole – update now!

Category: Zero dayDISC @ 9:30 am
Chrome and Edge fix zero-day security hole – update now!

Just three days after Chrome’s previous update, which patched 24 security holes that were not in the wild…

…the Google programmers announced the release of Chrome 105.0.5195.102, where the last of the four numbers in the quadruplet jumps up from 52 on Mac and Linux and 54 on Windows.

The release notes confirm, in the clipped and frustrating “indirect statement made in the passive voice” bug-report style that Google seems to have borrowed from Apple:

  
CVE-2022-3075
: Insufficient data validation in Mojo.

   Reported by Anonymous on 2022-08-30

   [...]

   Google is aware of reportsrts [sic] that an exploit 
   for 
CVE-2022-3075
 exists in the wild.

Microsoft has put out an update, too, taking its browser, which is based on Chromium, to  Edge 105.0.1343.27.

Following Google’s super-brief style, Microsfoft wrote merely that:

  This update [Edge 105.0.1343.27] contains a fix for 
CVE-2022-3075
, 
   which has been reported by the Chromium team as having an exploit 
   in the wild
As always, our translation of security holes written up in this non-committal way is: “Crooks or spyware vendors found this vulnerability before we did, have figured out how to exploit it, and are already doing just that.”

…………..

What to do?

Patch early, patch often!

In Chrome, check that you’re up to date by clicking Three dots > Help > About Google Chrome, or by browsing to the special URL chrome://settings/help.

The Chrome version you are looking for (or Chromium version , if you’re using the non-proprietary, open source flavour) is: 105.0.5195.102 or later.

In Edge, it’s Three dots > Help and feedback > About Microsoft Edge.

The Edge version you’re after is: 105.0.1343.27 or later.

Google’s release notes also list an update to the Extended Stable Channel, which you might be using if you’re on a computer provided by work – like Mozilla’s Extended Support Release or ESR, it’s an official version that lags behind on features but keeps up with security patches, so you aren’t forced to adopt new features just to get patched.

The Extended Stable version you want is: 104.0.5112.114.

Google has also just announced a Chrome for iOS update, available (as always) via the App Store.

There’s no mention of whether the iOS version was affected by CVE-2022-3075, but the version you’re after, in any case, is 105.0.5195.100.

(We’re guessing that by iOS, Google means both iOS and iPadOS, now shipped as different variants of Apple’s underlying mobile operating system.)

Nothing in the release notes so far [2022-09-05T13:45Z] about Android – check in Google Play to see if you’re up to date.

Tags: Chrome, Edge

Dec 14 2021

Google fixed the 17th zero-day in Chrome since the start of the year

Category: App Security,Web SecurityDISC @ 9:25 am
Google fixed the 17th zero-day in Chrome since the start of the year

Google released security updates to address five vulnerabilities in the Chrome web browser, including a high-severity zero-day flaw, tracked as CVE-2021-4102, exploited in the wild.

The CVE-2021-4102 flaw is a use-after-free issue in the V8 JavaScript and WebAssembly engine, its exploitation could lead to the execution of arbitrary code or data corruption.

“Google is aware of reports that an exploit for CVE-2021-4102 exists in the wild.” reads the advisory published by Google which did not share additional info regarding these attacks.

The vulnerability was reported by an anonymous researcher on 2021-12-09.

Google has already addressed 17 zero-day vulnerabilities in Chrome this year, below is the full list:

Be sure to update your Chrome install to the latest 96.0.4664.110 version for Windows, Mac, and Linux.

The other issues fixed by Google with the latest release are:

[$NA][1263457] Critical CVE-2021-4098: Insufficient data validation in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-10-26

[$5000][1270658] High CVE-2021-4099: Use after free in Swiftshader. Reported by Aki Helin of Solita on 2021-11-16

[$5000][1272068] High CVE-2021-4100: Object lifecycle issue in ANGLE. Reported by Aki Helin of Solita on 2021-11-19

[$TBD][1262080] High CVE-2021-4101: Heap buffer overflow in Swiftshader. Reported by Abraruddin Khan and Omair  on 2021-10-21

The Browser Hacker’s Handbook 

Tags: Chrome, Google, The Browser Hacker's Handbook, zero-day