Today is known as 'Exploit Wednesday' because it follows Patch Tuesday when big-name vendors release multiple security patches. I have already reported this morning how Microsoft confirmed no less than four new Windows zero-days being actively exploited in the wild. While none are zero-days, Google is also rolling out an update to address six high-severity security issues impacting the Chrome browser. Four of these earned the hackers who reported them a total of $45,000.
What are the six new high-severity Google Chrome CVEs?
With a total of 10 security issues fixed in this latest update to Chrome version 107.0.5304.110 for Mac and Linux and 107.0.5304.106/.107 for Windows, six have been allocated Common Vulnerabilities and Exposures (CVE) ratings of high.
- CVE-2022-3886, another use after free vulnerability but this time within Chrome's speech recognition system, was reported by a researcher who wishes to remain anonymous. Along with that anonymity being granted, they received a bounty of $10,000.
- CVE-2022-3887, also reported by a shy hacker, this time earning $7,000, is a use-after-free vulnerability in the 'web workers' script running system.
- CVE-2022-3888, a use-after-free vulnerability within WebCodecs, was reported by Peter Nemeth, who also earned a $7,000 bounty.
- CVE-2022-3889, is a type confusion vulnerability in the V8 engine, and CVE-2022-3890 is a heap buffer overflow in the Crashpad crash-reporting system. Both were reported by hackers who wish to remain anonymous, and bounty payments have yet to be confirmed.
Patch your applications without undue delay, security expert says
All of the vulnerabilities, Mike Walters, vice president of Vulnerability and Threat Research at Action1 explains, "can be exploited only if a user visits a website with malicious payloads, such as by clicking on a link in a phishing email or through careless browsing." Nonetheless, he recommends that users "patch all your Chrome applications without undue delay."
The Google Chrome security updates for Windows, Mac, and Linux users will already be rolling out and should reach all users within the next few days or weeks. You can kickstart the process by going to the Help|About Chrome menu setting. This action will check if an update is available and download it; the user just needs to restart the browser to activate the patching. If you do nothing, the update should arrive automatically but, as before, it will only be activated once the browser is restarted.
Users of other popular Chromium-based browsers, such as Brave and Edge, should also check to see if updates are available or have been installed.