Google Releases New Stable Chanel 108 Addressing Multiple Vulnerabilities in Chrome

Google has released Chrome 108 to the stable channel for Windows, Mac, and Linux addressing multiple vulnerabilities in the browser. In the advisory published on Nov 29, 2022, Google mentions, “The updates will roll out over the coming days/weeks.” 
 
The security fix addresses 28 vulnerabilities with severity ranging from high to medium. The advisory has provided information for 22 CVEs as of now. “Access to bug details and links may be restricted until most users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet been fixed”, says the advisory. 
 
The list of CVEs is provided below:

  1. CVE-2022-4174: This is high severity Type Confusion vulnerability in V8. Zhenghang Xiao reported the vulnerability. 
  2. CVE-2022-4175: This is a high-severity Use-After-Free vulnerability in Camera Capture. Leecraso and Guang Gong of 360 Alpha Lab reported this vulnerability. 
  3. CVE-2022-4176: This is a high-severity Out-of-Bounds write vulnerability in Lacros Graphics. Lacros is an architecture project to decouple the Chrome browser from the Chrome OS window manager and system UI. Ginggil Besel reported this vulnerability. 
  4. CVE-2022-4177: This is a high-severity Use-After-Free vulnerability in Extensions. Chaoyuan Peng reported this vulnerability. 
  5. CVE-2022-4178: This is a high-severity Use after free vulnerability in Mojo. Sergei Glazunov of Google Project Zero reported this vulnerability. 
  6. CVE-2022-4179: This is a high-severity Use after free vulnerability in Audio. Sergei Glazunov of Google Project Zero reported this vulnerability. 
  7. CVE-2022-4180: This is a high-severity Use after free vulnerability in Mojo. This vulnerability was reported anonymously to Google. 
  8. CVE-2022-4181: This is a high-severity Use after free vulnerability in Forms. Aviv A reported this vulnerability. 
  9. CVE-2022-4182: Inappropriate implementation in Fenced Frames. Peter Nemeth reported this vulnerability. 
  10. CVE-2022-4183: Insufficient policy enforcement in Popup Blocker. David Sievers reported this vulnerability. 
  11. CVE-2022-4184: Insufficient policy enforcement in Autofill. Ahmed ElMasry reported this vulnerability. 
  12. CVE-2022-4185: Inappropriate implementation in Navigation. James Lee reported this vulnerability. 
  13. CVE-2022-4186: Insufficient validation of untrusted input in Downloads. Luan Herrera reported this vulnerability. 
  14. CVE-2022-4187: Insufficient policy enforcement in DevTools. Axel Chong reported this vulnerability. 
  15. CVE-2022-4188: Insufficient validation of untrusted input in CORS. Philipp Beer reported this vulnerability. 
  16. CVE-2022-4189: Insufficient policy enforcement in DevTools. NDevTK reported this vulnerability. 
  17. CVE-2022-4190: Insufficient data validation in Directory. Axel Chong reported this vulnerability. 
  18. CVE-2022-4191: Use after free in Sign-In. Jaehun Jeong of Theori reported this vulnerability. 
  19. CVE-2022-4192: Use after free in Live Caption. Samet Bekmezci reported this vulnerability. 
  20. CVE-2022-4193: Insufficient policy enforcement in File System API. Axel Chong reported this vulnerability. 
  21. CVE-2022-4194: Use after free in Accessibility. This vulnerability was reported anonymously to Google. 
  22. CVE-2022-4195: Insufficient policy enforcement in Safe Browsing. Eric Lawrence of Microsoft reported this vulnerability. 

Affected versions  
Google Chrome versions prior to 108.0.5359.71 are affected by these vulnerabilities. 
 
Mitigation  
Customers must upgrade to the latest stable channel versions 108.0.5359.71 (Mac/Linux) and 108.0.5359.71/72 (Windows). For more information, please refer to the Google Chrome security page 
 
Check for the updates by navigating to Chrome Menu > Help > About Google Chrome. The web browser automatically checks for the latest updates and installs them when launched. 

Qualys Detection  
Qualys customers can scan their devices with QID 377801 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.  
  
References 
https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_29.html 

Leave a Reply

Your email address will not be published. Required fields are marked *