On Thursday, Google released security patches to stomp out high-severity vulnerabilities in its Chrome browser. Patches for all the bugs Google disclosed in its security advisory roll out over the next few days.
Overall, eight security bugs were addressed in Chrome browser version 80.0.3987.162 for Windows, Mac, and Linux. The most severe of these flaws could allow for arbitrary code execution, according to the Center for Internet Security (CIS).
“Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the browser,” according to CIS in a Wednesday alert. “Depending on the privileges associated with the application, an attacker could view, change, or delete data. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.”
As is typical for Chrome updates, Google is initially scant in details of the bugs “until a majority of users are updated with a fix.” It did outline three of the vulnerabilities that were discovered by external researchers, however.
These included two high-severity vulnerabilities the WebAudio component of Chrome (CVE-2020-6450 and CVE-2020-6451). The WebAudio component is used for processing and synthesizing audio in web applications.
The flaws tied to CVE-2020-6450 and CVE-2020-6451 are both use-after-free flaws. Use after free is a memory corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code.
According to vulnerability database Vuldb, the flaw tied to CVE-2020-6450 could be exploited remotely and no form of authentication is required for exploitation. Both flaws were reported by Man Yue Mo of GitHub Security Lab on March 17.
Another vulnerability was discovered in the Media component of Chrome, which displays video and audio in browsers. The vulnerability (CVE-2020-6452) is a heap-based buffer overflow. A buffer overflow attack exists when a buffer (a region in physical memory storage used to temporarily store data) is allocated in the heap portion of memory (a region of process’s memory which is used to store dynamic variables). That excess data in turn corrupts nearby space in memory and could alter other data, opening the door for malicious attacks. This flaw was reported by a researcher under the alias “asnine” on March 9.
The CIS alert recommended that Chrome users “apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.”
Chrome has plagued by vulnerabilities over the past few months. Google in February 2020 said it patched a Chrome web browser zero-day bug being actively exploited in the wild. The flaw affected versions of Chrome running on the Windows, macOS and Linux platforms.
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.