We’ve said it before and we’ll say it again — you should always keep all of your software up to date. There are simply too many cyberattacks to risk leaving vulnerabilities unpatched on any of your devices. We bring this up now because Google released a stable channel update for the Chrome browser this week that includes 11 security fixes. Notably, one is for a zero-day vulnerability in Chrome with an exploit that exists in the wild.
Update Chrome to patch a zero-day vulnerability
According to Google, the zero-day exploit involves “insufficient validation of untrusted input in Intents.” As Ars Technica explains (via Dark Reading), Chrome uses these intents to process user input. If Chrome doesn’t validate the input properly, an attacker can craft an input the browser doesn’t expect. This can result in arbitrary code execution.
Here are descriptions of the 11 security vulnerabilities Google patched as well as the names of the groups that discovered them and their payouts:
- [$NA] Critical CVE-2022-2852: Use after free in FedCM. Reported by Sergei Glazunov of Google Project Zero on 2022-08-02
- [$7000] High CVE-2022-2854: Use after free in SwiftShader. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-06-18
- [$7000] High CVE-2022-2855: Use after free in ANGLE. Reported by Cassidy Kim of Amber Security Lab, OPPO Mobile Telecommunications Corp. Ltd. on 2022-07-16
- [$5000] High CVE-2022-2857: Use after free in Blink. Reported by Anonymous on 2022-06-21
- [$5000] High CVE-2022-2858: Use after free in Sign-In Flow. Reported by raven at KunLun lab on 2022-07-05
- [$NA] High CVE-2022-2853: Heap buffer overflow in Downloads. Reported by Sergei Glazunov of Google Project Zero on 2022-08-04
- [$NA] High CVE-2022-2856: Insufficient validation of untrusted input in Intents. Reported by Ashley Shen and Christian Resell of Google Threat Analysis Group on 2022-07-19
- [$3000] Medium CVE-2022-2859: Use after free in Chrome OS Shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-06-22
- [$2000] Medium CVE-2022-2860: Insufficient policy enforcement in Cookies. Reported by Axel Chong on 2022-07-18
- [$TBD] Medium CVE-2022-2861: Inappropriate implementation in Extensions API. Reported by Rong Jian of VRI on 2022-07-21
This is the fifth zero-day vulnerability for Chrome that Google has reported in 2022.
How to update your Chrome browser
Chrome doesn’t always apply the latest updates when you open the browser, so if you want to check and see which version you are running, go to Settings and then About Chrome at the bottom of the menu bar on the left side of the screen.
If you are already running the latest version of the browser, then you are good to go. If not, you should begin the process of updating as soon as possible. Once it finishes downloading, click the Relaunch button to finish updating.
More Google coverage: For more Google news, visit our Pixel 7 guide.