Critical, High-Severity Google Chrome Vulnerabilities Found


Another day, another set of Google Chrome vulnerabilities.

Hot on the heels of the recent emergency Google Chrome security update addressing a zero-day exploit that was already observed in the wild, another critical security update has been released for the Chrome browser.

This latest Google Chrome vulnerabilities update addresses four bugs, one of which is a critical issue affecting the browser’s ‘autofill payments’ function responsible for automatically entering payment details in online forms.

These vulnerabilities, if exploited by a remote attacker, can lead to remote code execution and data manipulation on the targeted system.

The impact of these vulnerabilities is far-reaching, as they allow an attacker to execute code remotely and manipulate data on affected systems.

Users should be particularly cautious if they are using Google Chrome versions prior to 114.0.5735.130/.131 on Android, 114.0.5735.133 on Linux, 114.0.5735.133 on Mac, or 114.0.5735.133/134 on Windows.

Google Chrome vulnerabilities: One critical, four high

While it may not carry the same level of urgency as CVE-2023-3079, as there are no known exploits currently in circulation, CVE-2023-3214 should still be taken very seriously because of the following reasons.

Among the latest Google Chrome vulnerabilities spotted, this security issue is classified as critical and impacts the autofill payments functionality of the Google Chrome browser. The combination of the terms ‘payments’ and ‘critical’ was sufficient enough to trigger warning bells.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” said the Google alert.

With threat actors being the ones to take note of vulnerability alerts, Google as a matter of policy withholds such technical details until majority of users receive the automated update rollout and apply it.

Google Chrome vulnerabilities: Use after free

Among the latest four Google Chrome vulnerabilities, the critical one and two high severity vulnerabilities falls into the category of a “use-after-free” vulnerability.

“Use-After-Free (UAF) is a vulnerability related to incorrect use of dynamic memory during program operation. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program,” defined Kaspersky.

“An attacker can use UAFs to pass arbitrary code — or a reference to it — to a program and navigate to the beginning of the code by using a dangling pointer. In this way, execution of the malicious code can allow the cybercriminal to gain control over a victim’s system,”

Meanwhile, the three other vulnerabilities with a high severity rating, also pose considerable threat.

The high-severity Google Chrome vulnerabilities

CVE-2023-3215: This vulnerability involves a use after free issue in the Chromium WebRTC, a real-time communication system used for audio, video, and data transmission.

CVE-2023-3216: This vulnerability pertains to a type confusion problem in the V8 JavaScript engine.

CVE-2023-3217: Another use after free vulnerability has been addressed, this time in the Chrome browser’s WebXR, which is an application programming interface for augmented reality and virtual reality.

To update the browser, users can navigate to the Help|About option in the Google Chrome menu. If the update is available, it will automatically begin downloading. The update will show up for all users in the coming days.

Users must restart their browsers after installing the update to activate the changes; otherwise, the units will remain vulnerable to attacks.

Other browsers that utilize the Chromium engine will also receive updates. These updates may have already been deployed or will be rolled out in the next few days.

Google recommends users to check if the update has been installed and activated on their Brave, Edge, Opera, or Vivaldi browsers to ensure protection against potential security risks.





Source link