Chrome users, you need to take action. Google has warned that there are several new high-level vulnerabilities in its browser, including one it deems “critical”. This is what you need to know to stay safe.
Google published the warning in a official blog post, confirming 11 new hacks, including nine that it considers high-level threats in addition to the aforementioned Critical exploit. Chrome users running Windows, macOS, and Linux are all vulnerable.
As is common practice, Google is currently limiting information about new hacks in an effort to buy time for Chrome users to upgrade. That said, the company has listed where successful exploits have taken place and it forms a familiar pattern. I have listed the 10 most serious below:
- Critical – CVE-2022-0971: Use after free in Blink Layout. Reported by Sergei Glazunov of Google Project Zero on 2022-02-21
- High – CVE-2022-0972: Use after free in extensions. Reported by Sergei Glazunov of Google Project Zero on 2022-02-28
- High – CVE-2022-0973: Use after free in Safe Browsing. Reported by avaue and Buff3tts to SSL on 2022-02-15
- High – CVE-2022-0974 : Use after free in split screen. Posted by @ginggilBesel on 2022-01-28
- High – CVE-2022-0975: Use after free in ANGLE. Reported by SeongHwan Park (SeHwa) on 2022-02-09
- High – CVE-2022-0976: Heap buffer overflow in GPU. Posted by Omair on 2022-02-13
- High – CVE-2022-0977: Use after free in browser UI. Reported by Khalil Zhani on 2022-02-20
- High – CVE-2022-0978: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. ltd. on 2022-02-20
- High – CVE-2022-0979: Use after free in Safe Browsing. Reported by anonymous on 2022-03-03
- Medium – CVE-2022-0980: Use after free in New Tab page. Posted by Krace on 2022-03-02
‘Use-After-Free’ (UAF) Exploits have always been the most efficient way to hack Chrome, but things have taken it to another level here with nine out of 11 hacks using this method. There have now been 40 Chrome UAF hacks since the start of 2022. UAF vulnerabilities are memory exploits created when a program fails to clear the pointer to memory after it is freed.
The second most popular route is via a heap buffer overflow exploit and this is the remaining attack. Also called “Heap Smashing”, heap memory is dynamically allocated and usually contains program data. With an overflow, critical data structures can be overwritten, making it an ideal target for hackers.
The good news, however, is that Google found no new Zero-Day Vulnerabilities (when a hacker is able to exploit a vulnerability before a fix is found). That said, Google recently warned that zero-day hacks are on the rise.
To combat these new threats, Google has released Chrome 99.0.4844.74 (Chrome 100 will be available soon). Google says the update “will be rolling out over the next few days/weeks.”
To check if your browser is protected, go to Settings > Help > About Google Chrome. This will tell you your browser version. If the update is not yet available for your browser, check back regularly. And remember that you are not protected until your browser is restarted. So make it the next thing you do.
Follow Gordon on Facebook
Learn more about Forbes
New Edge, Firefox and Chrome ‘100’ updates will break some websites
Android 13 beta code reveals two new Google Pixel smartphones