Google has released security fixes for the desktop Chrome app on Windows, Linux, and Mac. This consists of Ten vulnerabilities that include one Zero-day vulnerability with High severity. Google can fix the vulnerabilities by auto patching. This is the fifth Zero-day vulnerability fixed by Google this year and is assigned with CVE-2022-2856.
Most of the vulnerabilities in the advisory released on August 16th address a Use after free vulnerability sharing critical and high severity in various components such as FedCM, SwiftShader, ANGLE, Blink, Chrome OS Shell and Sign-In Flow. Google recommends Chrome browser users patch their applications immediately by installing the latest version or by a patch management tool.
Zero-Day CVE-2022-2856 Bug
CVE-2022-2856: Intent is not validated properly for untrusted input
Google Chrome’s Intents is the vulnerable component. It is a mechanism for triggering apps directly from a web page, in which data on the web page feeds into an external app launched to process that data. Ashley Shen and Christian Resell of Google Threat Analysis Group 2022-07-19 reported this bug.
The tech giant has refrained from sharing additional specifics about the exploit until most users update. “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” it added in the advisory.
Impact:
Successful exploitation of this bug leads to silent feeding of the local app with the sort of risky data that security grounds block.
Other Vulnerabilities excluding CVE-2022-2856
As listed below, seven of these bugs are Use After Free caused by memory mismanagement, a flaw associated with improper use of dynamic memory while a program runs.
If the program fails to remove the pointer assigned to a dynamic memory region after releasing it, an attacker can use this error to compromise the program. However, this may result in arbitrary code execution, data corruption, or program failures.
- CVE-2022-2852: Use after free in FedCM
- CVE-2022-2854: Use after free in SwiftShader
- CVE-2022-2855: Use after free in ANGLE
- CVE-2022-2857: Use after free in Blink
- CVE-2022-2858: Use after free in Sign-In Flow
- CVE-2022-2859: Use after free in Chrome OS Shell
- CVE-2022-2853: Heap buffer overflow in Downloads
- CVE-2022-2860: Insufficient policy enforcement in Cookies
- CVE-2022-2861: Inappropriate implementation in Extensions API
Affected Products
Google Chrome version before 104.0.5112.101.
Solution
Google has released Chrome version 104.0.5112.101 for macOS and Linux and 104.0.5112.102/101 for Windows to address the CVE-2022-2856 bug.
However, SanerNowdetects these vulnerabilities and automatically fixes them through patch management by applying security updates. We strongly recommend applying the security updates as soon as possible, following the instructions published in our support article which is now replaced by KB Article.