Chrome update addresses seven high-severity vulnerabilities

Image:

Chrome update addresses seven high-severity vulnerabilities

Bug details 'may be kept restricted until a majority of users are updated with a fix'

Google has pushed out an urgent update to address seven severe security flaws in the Chrome browser, which hackers could use to take control of an affected system.

Google Chrome technical programme manager Srinivas Sista said Google has updated Chrome's stable channel to 92.0.4515.159 for Windows, Mac and Linux, which will roll out over the coming days/weeks.

The update includes fixes for nine security bugs in total, of which seven were discovered by external researchers.

Sista revealed very little information about the vulnerabilities, saying that access to bug details "may be kept restricted until a majority of users are updated with a fix."

Sista added, "We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed."

The USA's Cybersecurity and Infrastructure Security Agency (CISA) said one of the bugs could enable a threat actor 'to take control of an affected system'.

A hacker could use this access to steal bank details, use emails to propagate malware, or encrypt important files until a ransom is paid.

The seven serious bugs have the following CVE identification numbers and details:

CVE-2021-30598: Type Confusion in V8; high in severity; reported by Manfred Paul
CVE-2021-30599: Type Confusion in V8; high in severity; reported by Manfred Paul
CVE-2021-30600: Use after free in Printing; high in severity; reported by Leecraso and Guang Gong of 360 Alpha Lab
CVE-2021-30601: Use after free in Extensions API; high in severity; reported by koocola(@alo_cook) and Nan Wang(@eternalsakura13) of 360 Alpha Lab
CVE-2021-30602: Use after free in WebRTC; high in severity; reported by Marcin Towalski of Cisco Talos
CVE-2021-30603: Race in WebAudio; high in severity; reported by Sergei Glazunov of Google Project Zero
CVE-2021-30604: Use after free in ANGLE; high in severity; reported by Seong-Hwan Park (SeHwa) of SecunologyLab

V8 is Google's open-source and JavaScript engine. Chrome and other browsers based on the Chromium project, including Microsoft Edge, Brave, Opera and Vivaldi, all use it.

WebRTC (Web real-time communications) is the technology that enables transferring video and audio streaming data between mobile apps and browsers.

ANGLE (Almost Native Graphics Layer Engine) is Google's open source, cross-platform graphics engine abstraction layer.

Google says it paid Manfred Paul a $21,000 bounty reward for both of the two bugs he reported, while 360 Alpha Lab researchers claimed a $20,000 bounty payment for each flaw they found.

CISA urged users to keep Chrome up-to-date at all times, to combat emerging threats.

Chrome users can check for updates by navigating to Help > About Google Chrome to check their Chrome browser version. If the version is listed as 92.0.4515.159 or above, they don't need to take any further action.

If not, the About screen should prompt the user to update their browser. Once the update has downloaded, the user must restart the browser for the protection to start working.

More than two billion people use Chrome worldwide, and it is one of cybercriminals' prime targets.