Inscrivez-vous maintenant pour un meilleur devis personnalisé!

Google rushes out Chrome browser fix for new zero-day flaw

25 nov. 2022 Hi-network.com

 

Image: Getty/Manuel Breva Colmeiro

Google has released an update for Chrome to address a previously undisclosed or zero-day flaw that is under attack. 

According to Google, the high-severity flaw, which is tracked as CVE-2022-4135, is due to a memory-related "heap buffer overflow in GPU". 

"Google is aware that an exploit for CVE-2022-4135 exists in the wild," Google says in its advisory. 

Security

  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services: How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

The issue was was reported on 22 November by Clement Lecigne, a researcher with Google's Threat Analysis Group. 

Also:Ransomware: Why it's still a big threat, and where the gangs are going next

Google is rolling out the fix in the coming days or weeks via the Stable channel release of Chrome, which has now been updated to 107.0.5304.121 for Mac and Linux, and 107.0.5304.121/.122 for Windows. 

Google is keeping details of the bug restricted until the majority of users are updated with the fix. 

The NIST's National Vulnerability Database, however, has a more detailed description of CVE-2022-4135, which helps explain why it's a high-severity flaw: a remote attacker can escape the Chrome sandbox by luring a target to a web page crafted in a way to exploit the security issue in the graphics renderer process.   

"Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page," NIST notes. 

According to Bleepingcomputer, it's the eighth actively exploited zero day in Chrome that Google has patched this year. Google's Project Zero zero-day tracker, however, only counts seven Chrome zero days this year as it's missing CVE-2022-3075, which it patched on September 2. 

By far, the most common category of flaws affecting Chrome on the zero-day tracker are memory corruption issues. Google is trying to harden Chrome's giant C++ code base against memory security flaws with heap scanning and MicarclPtr. In general, memory flaws account for 70% of high-severity bugs in Chrome. Both hardening techniques create an overhead on performance.   

Even though the flaw is likely being used in targeted attacks, Chrome users should install the update, which was available today when ZDNet checked.  

Google

Google Pixel 8 Pro review: This phone sold me on an AI-powered futurePixel 8 Pro vs. Pixel 7 Pro: Is it worth the upgrade?The best Android smartwatches you can buy (including the Pixel Watch 2)5 ways upgrading to Pixel 8 Pro made me happy I paid the higher price
  • Google Pixel 8 Pro review: This phone sold me on an AI-powered future
  • Pixel 8 Pro vs. Pixel 7 Pro: Is it worth the upgrade?
  • The best Android smartwatches you can buy (including the Pixel Watch 2)
  • 5 ways upgrading to Pixel 8 Pro made me happy I paid the higher price

tag-icon Tags chauds: technologie La sécurité

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.