Google has released security updates for Google Chrome browser for Windows, Mac and Linux, addressing vulnerabilities that could allow a remote attacker to take control of systems.
There are 11 fixes in total, including five that are classed as high-severity. As a result, CISA has issued an alert encouraging IT administrators and regular users to install the updates as soon as possible to ensure their systems are not vulnerable to the flaws.
Among the most severe vulnerabilities that are patched by the Google Chrome update is CVE-2022-2477, a vulnerability caused by a use-after-free flaw in Guest View, which could allow a remote attacker to execute arbitrary code on systems or crash them.
Use-after-free is a vulnerability as a result of the incorrect use of dynamic memory during the operation of an application, freeing a memory location in error – something that an attacker can exploit.
Another of the vulnerabilities, CVE-2022-2480, relates to a use-after-free flaw in the Service Worker API, which which acts as a proxy server that sit between web applications, the browser and the network in order to improve offline experiences, among other things.
The specific functionality that this vulnerability relates to has yet to be disclosed, but it can lead to a memory corruption flaw if abused, which can be used to crash systems or execute code – essentially allowing attackers to install malware or otherwise abuse the system.
It requires some sort of user interaction but, as with many of the vulnerabilities disclosed in this update, the full details are yet to be made public. According to Google, this is because they're waiting for users to apply the updates first, so they're protected from anybody trying to exploit them.
"Access to bug details and links may be kept restricted until a majority of users are updated with a fix," the Chrome team said in the update.
"We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel," they added.
CISA warns that the fixes relate to "vulnerabilities that an attacker could exploit to take control of an affected system" and that the updates should be applied as soon as possible.