Why You Should Update Google Chrome Right Now: 11 New Security Issues Confirmed
Google has just confirmed the second clutch of security updates for the Chrome browser in July. Version 103.0.5060.134 for all Windows, Mac, and Linux users will become available in the coming days. While this update will roll out automatically, users who don’t restart their browser regularly are advised to check manually and force the security patch activation.
July 22 Update below. This post was originally published on July 20
As I reported earlier in the month, a zero-day Chrome vulnerability was confirmed by Google as being actively exploited by attackers. That vulnerability was CVE-2022-2294 and very little detail was released about it for obvious reasons. Now that there has been plenty of time for users to apply the fix, in the form of the first Google Chrome security update for July, that detail has started to emerge courtesy of the threat researchers at Avast who discovered it. In a newly published report, the researchers reveal how the vulnerability was used by attackers targeting users in the Middle East, in particular journalists in Lebanon.
The Avast researchers say that they can “confidently attribute it to a secretive spyware vendor” which they name as Candiru. A year ago, almost to the day, Citizen Lab research claimed that Candiru was “a mercenary spyware firm that markets ‘untraceable’ spyware to government customers. Their product offering includes solutions for spying on computers, mobile devices, and cloud accounts.” Avast says Candiru had laid low following the publication of this research but, in March 2022, researchers had seen it come back with tools targeting Avast users, once again in Lebanon as well as Palestine, Turkey, and Yemen. Those tools used a zero-day for Google Chrome.
Avast reports how the zero-day was designed to target Chrome users on the Windows platform, because it used a WebRTC bug it also impacted Microsoft Edge and even Apple Safari. All versions of Chrome have since been patched.
This, if you really needed reminding, is a good reason to ensure you don’t hang around installing these security updates for Chrome. With billions of users spread across multiple platforms, it is a very profitable target for malicious actors. As stated above, while your browser will automatically download new updates once they are available to it, these won’t activate until you restart the browser.
What’s new in Google Chrome 103.0.5060.134?
In total, this update to Chrome 103.0.5060.134 fixes 11 security issues. Five of these were discovered by internal security audits and ‘fuzzing’ which is an automatic process looking for exceptions when providing unexpected or random inputs. The remaining six issues are vulnerabilities uncovered by security researchers. Unlike the first Chrome update this month, none are zero days where attackers are known to be already exploiting them in the wild. It would also appear that there are no security fixes in the Android Chrome update announced at the same time.
Five of the six vulnerabilities are rated as high impact, with the sixth being a low impact issue. In total, $33,500 in bug bounties was awarded to the researchers who disclosed the vulnerabilities. Some $23,000 of this went to just two researchers, one of which, surprisingly, was for that low-impact vulnerability.
The named Chrome vulnerabilities
As usual, there is little detailed information available currently. Google sensibly withholds this until such a time as a majority of the userbase has had the opportunity to update. Here’s what we do know:
- $16,000 was awarded to an anonymous researcher for a high-rated use after free vulnerability CVE-2022-2477 in guest view.
- $7,500] was awarded to ‘triplepwns’ for a high-rated use after free vulnerability CVE-2022-2478 in PDF.
- $3,000 was awarded to an anonymous researcher for a high-rated vulnerability CVE-2022-2479 involving insufficient validation of untrusted input in files
- Two further high-rated vulnerabilities, CVE-2022-2480 and CVE-2022-2481, from Sergei Glazunov (a member of the Google Project Zero team) and YoungJoo Lee respectively, have yet to have any bounty awarded. The first is a use after free in the service worker API and the second a use after free in views.
- $7,000 was awarded to Chaoyuan Peng for the low-rated use after free vulnerability CVE-2022-2163 in cast user interface and toolbar.