The heap buffer overflow issue in the browser’s WebRTC engine could make it possible for attackers to execute arbitrary code.
When persons have been celebrating the Fourth of July holiday in the United States, Google quietly rolled out a steady channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth this sort of flaw the seller has experienced to patch in its browser product or service so significantly this year.
Chrome 103 (103..5060.71) for Android and Model 103..5060.114 for Windows and Mac, outlined in independent weblog posts published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that presents the browser its genuine-time communications capacity.
The vulnerability, tracked as CVE-2022-2294 and noted by Jan Vojtesek from the Avast Danger Intelligence crew on July 1, is explained as a buffer overflow, “where the buffer that can be overwritten is allotted in the heap portion of memory,” in accordance to the vulnerability’s listing on the Prevalent Weak spot Enumeration (CWE) site.
As for every regular, Google did not reveal precise details about the bug, as it frequently waits right until most have updated to the patched model of the influenced product. In truth, updating is strongly advisable, as exploits for the vulnerability by now exist in the wild, Google said.
Also, with scant facts unveiled about the flaw—a behavior of Google’s that several security scientists obtain frustrating—at this stage an update is genuinely only way to protect towards attacks exploiting the flaw. Fortunately, Google Chrome updates are pushed out with no consumer intervention, so most consumers will be protected after patches are out there.
Buffer overflows typically direct to crashes or other attacks that make the affected software unavailable including putting the plan into an infinite loop, according to the CWE listing. Attackers can just take gain of the predicament by using the crash to execute arbitrary code typically outside the house of the scope of the program’s security coverage.
“Besides important person data, heap-primarily based overflows can be employed to overwrite function tips that might be living in memory, pointing it to the attacker’s code,” according to the listing. “Even in purposes that do not explicitly use function tips, the run-time will generally depart a lot of in memory.”
Then in April, the organization patched CVE-2022-1364, an additional kind confusion flaw influencing Chrome’s use of V8 on which attackers previously had pounced.
One more flaw patched in Monday’s Chrome update is a use-immediately after-free of charge flaw in Chrome OS Shell noted by Khalil Zhani on May perhaps 19 and tracked as CVE-2022-2296, in accordance to Google. All of the flaws patched in this week’s update obtained a rating of substantial. The updates also incorporates quite a few fixes from interior audits, fuzzing and other initiatives, Google explained.
Some components of this posting are sourced from: