Chrome users, you need to be alert. Google has issued a new warning to its circa three billion Chrome users around the world confirming new ‘High’ level attacks on its browser. This is what you need to know to stay safe.
Google announced the news in an official blog post, revealing that a total of 28 successful Chrome hacks have been discovered – nine of which are considered ‘High’ level threats. All 28 attacks affect Chrome across all major platforms: Windows, Mac and Linux.
What Are The New Chrome Hacks?
To protect users and buy them time to upgrade, Google is currently restricting information about the new exploits. Consequently, Google has only provided broad categorizations of where the successful attacks have been made:
- High – CVE-2022-0789: Heap buffer overflow in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-01-21
- High – CVE-2022-0790: Use after free in Cast UI. Reported by Anonymous on 2021-11-26
- High – CVE-2022-0791: Use after free in Omnibox. Reported by Zhihua Yao of KunLun Lab on 2021-12-09
- High – CVE-2022-0792: Out of bounds read in ANGLE. Reported by Jaehun Jeong(@n3sk) of Theori on 2022-01-11
- High – CVE-2022-0793: Use after free in Views. Reported by Thomas Orlita on 2022-01-28
- High – CVE-2022-0794: Use after free in WebShare. Reported by Khalil Zhani on 2022-02-04
- High – CVE-2022-0795: Type Confusion in Blink Layout. Reported by 0x74960 on 2021-12-27
- High – CVE-2022-0796: Use after free in Media. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-02-10
- High – CVE-2022-0797: Out of bounds memory access in Mojo. Reported by Sergei Glazunov of Google Project Zero on 2021-12-21
Continuing a long established pattern, hackers are getting most joy with ‘Use-After-Free’ (UAF) exploits. The five successful high-level attacks here bring the total number of Chrome UAF hacks to 31 since the start of 2022. UAF vulnerabilities are memory exploits created when a program fails to clear the pointer to the memory after it is freed.
Interestingly, there is just a single High level Heap buffer overflow attack. This has been the second most prominent avenue of attack. Also known as ‘Heap Smashing’, memory on the heap is dynamically allocated and typically contains program data. With an overflow, critical data structures can be overwritten which makes it an ideal target for hackers.
The good news in the latest hacks is there are no Zero-Day vulnerabilities. Zero-Day attacks are when hackers create a successful exploit before the company can respond and they are the most dangerous kind of security exploit. In this instance, Google has found fixes before they become publicly known but Chrome users still need to act quickly.
Updating Chrome – What You Need To Do
To combat the new threats, Google has announced Chrome 99.0.4844.51. Google states that the release “will roll out over the coming days/weeks” so not everyone will be able to protect yourself immediately.
To check if your browser is protected, navigate to Settings > Help > About Google Chrome and check if your browser version is listed as 99.0.4844.51 or higher. If the update is not yet available for your browser, check back regularly.
Critical step: after updating Chrome must be restarted before the fixes will take effect. With 3.2 billion Chrome users worldwide, even a small number of users forgetting this step can leave millions of systems vulnerable and a prime target for hackers. Go update, right now.
Follow Gordon on Facebook
More On Forbes
Google Confirms First Chrome Browser Zero-Day Hack Of 2022
Google Scraps Flawed New Chrome Browser Tracking System