Chrome users, you need to take action. Google has warned there are multiple new high-level vulnerabilities in its browser, including one it deems to be ‘Critical’. This is what you need to know to stay safe.
Google issued the warning in an official blog post, confirming 11 new hacks, nine of which it deems to be high-level threats in addition to the Critical exploit mentioned above. Chrome users running Windows, macOS and Linux are all vulnerable.
As is standard practice, Google is currently limiting information about the new hacks in an attempt to buy time for Chrome users to upgrade. That said, the company has listed where the successful exploits have taken place and it forms a familiar pattern. I have listed the 10 most serious below:
Critical – CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21
High – CVE-2022-0972: Use after free in Extensions. Reported by Sergei Glazunov of Google Project Zero on 2022-02-28
High – CVE-2022-0973: Use after free in Safe Browsing. Reported by avaue and Buff3tts at S.S.L. on 2022-02-15
High – CVE-2022-0974 : Use after free in Splitscreen. Reported by @ginggilBesel on 2022-01-28
High – CVE-2022-0975: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-02-09
High – CVE-2022-0976: Heap buffer overflow in GPU. Reported by Omair on 2022-02-13
High – CVE-2022-0977: Use after free in Browser UI. Reported by Khalil Zhani on 2022-02-20
High – CVE-2022-0978: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-20
High – CVE-2022-0979: Use after free in Safe Browsing. Reported by anonymous on 2022-03-03
Medium – CVE-2022-0980: Use after free in New Tab Page. Reported by Krace on 2022-03-02
‘Use-After-Free’ (UAF) exploits have consistently been the most successful way to hack Chrome, but things have stepped up another level here with nine of the 11 hacks using this method. There have now been 40 UAF hacks of Chrome since the start of 2022. UAF vulnerabilities are memory exploits created when a program fails to clear the pointer to the memory after it is freed.
The second most popular route is via a Heap buffer overflow exploit and this makes up the remaining attack. Also referred to as ‘Heap Smashing’, memory on the heap is dynamically allocated and typically contains program data. With an overflow, critical data structures can be overwritten which makes it an ideal target for hackers.
The good news, however, is Google has found no new Zero-Day vulnerabilities (when a hacker is able to exploit a vulnerability before a fix is found). That said, Google recently warned zero-day hacks are rising.
To combat these new threats, Google has released Chrome 99.0.4844.74 (Chrome 100 is coming soon). Google says the update “will roll out over the coming days/weeks”.
To check if your browser is protected, navigate to Settings > Help > About Google Chrome. This will tell you your browser version. If the update is not yet available for your browser, check back regularly. And remember, you are not protected until your browser has been restarted. So make this the very next thing you do.
