• December 5, 2022

Black Friday Sales Numbers Hit Record Highs Despite Fears Of Recession

Key Takeaways Many retailers warned of a weak holiday sales period due to high inflation. Online sales were up 2.3% compared to 2021, with $9.12 billion spent online. Inventory levels are …

Holiday Gift Guide For Eco-Minded Travelers

Traveling offers a greater understanding of the world but can also damage it. Here are some gift ideas for those who prefer to tread lightly. Almost all are from small businesses. …

Apple Stock Slumps Due To Production Delays Of New iPhones In China

Key Takeaways Apple’s stock dropped on November 28 due to news of production issues at the Foxconn factory in Zhengzhou, China. The company declined to comment on the Bloomberg report that …

Today is known as ‘Exploit Wednesday’ because it follows Patch Tuesday when big-name vendors release multiple security patches. I have already reported this morning how Microsoft confirmed no less than four new Windows zero-days being actively exploited in the wild. While none are zero-days, Google is also rolling out an update to address six high-severity security issues impacting the Chrome browser. Four of these earned the hackers who reported them a total of $45,000.

What are the six new high-severity Google Chrome CVEs?

With a total of 10 security issues fixed in this latest update to Chrome version 107.0.5304.110 for Mac and Linux and 107.0.5304.106/.107 for Windows, six have been allocated Common Vulnerabilities and Exposures (CVE) ratings of high.

These are:

Advertisement
  • CVE-2022-3885, a use-after-free vulnerability in the V8 JavaScript engine, earned the reporting hacker, a security researcher identified as gzobqq@, a cool $21,000 bounty.
  • CVE-2022-3886, another use after free vulnerability but this time within Chrome’s speech recognition system, was reported by a researcher who wishes to remain anonymous. Along with that anonymity being granted, they received a bounty of $10,000.
  • CVE-2022-3887, also reported by a shy hacker, this time earning $7,000, is a use-after-free vulnerability in the ‘web workers’ script running system.
  • CVE-2022-3888, a use-after-free vulnerability within WebCodecs, was reported by Peter Nemeth, who also earned a $7,000 bounty.
  • CVE-2022-3889, is a type confusion vulnerability in the V8 engine, and CVE-2022-3890 is a heap buffer overflow in the Crashpad crash-reporting system. Both were reported by hackers who wish to remain anonymous, and bounty payments have yet to be confirmed.

Patch your applications without undue delay, security expert says

All of the vulnerabilities, Mike Walters, vice president of Vulnerability and Threat Research at Action1 explains, “can be exploited only if a user visits a website with malicious payloads, such as by clicking on a link in a phishing email or through careless browsing.” Nonetheless, he recommends that users “patch all your Chrome applications without undue delay.”

The Google Chrome security updates for Windows, Mac, and Linux users will already be rolling out and should reach all users within the next few days or weeks. You can kickstart the process by going to the Help|About Chrome menu setting. This action will check if an update is available and download it; the user just needs to restart the browser to activate the patching. If you do nothing, the update should arrive automatically but, as before, it will only be activated once the browser is restarted.

Users of other popular Chromium-based browsers, such as Brave and Edge, should also check to see if updates are available or have been installed.

Advertisement

Leave a Reply

Your email address will not be published.