Google Patches Multiple Vulnerabilities in its Chrome Browser

Google has released an update for Chrome browser on Windows, Mac, and Linux addressing multiple vulnerabilities.  
 
The advisory addressed 10 vulnerabilities but has provided details of only six vulnerabilities till now. All six vulnerabilities are rated with high severity.  
 
Some of the vulnerabilities addressed in the advisory are: 

  • CVE-2022-3885: Use after free in V8. The vulnerability was reported by gzobqq. V8 is the open-source JavaScript engine developed by the Chromium Project for Google Chrome and Chromium web browsers. This vulnerability could cause heap corruption. 
  • CVE-2022-3886: Use after free in Speech Recognition. The vulnerability was reported anonymously to Google and can cause heap corruption. 
  • CVE-2022-3887: Use after free in Web Workers. The vulnerability was reported anonymously to Google. Web Workers is used in Google Chrome to run scripts in the background without causing any hindrance to the user interface. 
  • CVE-2022-3888: Use after free in WebCodecs. The vulnerability was reported by Peter Nemeth. WebCodecs is used to provide low-level access to media encoders and decoders. 
  • CVE-2022-3889: Type Confusion in V8. The vulnerability was reported anonymously to Google. 
  • CVE-2022-3890: Heap buffer overflow in Crashpad. The vulnerability was reported anonymously to Google. This vulnerability exists in Google Chrome on Android. This can allow a remote attacker to perform a sandbox escape and enable them to elevate privileges across an entire host environment. 

Affected versions  
Google Chrome versions prior to 107.0.5304.106/.107 are affected by this vulnerability. 
 
Mitigation  
Customers are requested to upgrade to the latest stable channel version 107.0.5304.110 for Mac and Linux and 107.0.5304.106/.107 for Windows. For more information, please refer to the Google Chrome security page 
 
The customer can check for the updates by navigating to Chrome Menu > Help > About Google Chrome. The web browser automatically checks for the latest updates and installs them when it is launched. 
 

 
Microsoft has released the Microsoft Edge Stable Channel (Version 107.0.1418.42) addressing the latest security updates of the Chromium project.  
 
Qualys Detection  
Qualys customers can scan their devices with QIDs 377749 and 377757 to detect vulnerable assets.  
  
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.  
  
References 
https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop.html 
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#november-10-2022  
https://www.zdnet.com/article/google-chrome-security-update-fixes-six-high-severity-vulnerabilities-which-attackers-could-use-to-crash-your-computer/  

Leave a Reply

Your email address will not be published. Required fields are marked *