Google, Apple squash exploitable browser bugs
Chrome flaw has public exploit, WebKit hole actively abused along with kernel escalation
Google has issued 11 security fixes for desktop Chrome, including one bug that has an exploit for it out in the wild.
That high-severity vulnerability, tracked as CVE-2022-2856, is an improper input validation bug, and as per usual, Google doesn't release many details about it until the bulk of Chrome users are updated and the code is fixed.
In an advisory, the internet giant described the flaw as "insufficient validation of untrusted input in Intents," and noted that it "is aware that an exploit for CVE-2022-2856 exists in the wild."
Chrome Intents can be used to launch apps from webpages and pass data to those applications.
Sophos security researchers note that Google didn't provide any details about how this functionality can be manipulated to compromise a user's device. "The danger seems rather obvious if the known exploit involves silently feeding a local app with the sort of risky data that would normally be blocked on security grounds," Sophos's Paul Ducklin added.
Googlers Ashley Shen and Christian Resell, both part of the Threat Analysis Group, reported the vulnerability on July 19.
This is the fifth Chrome bug Google has fixed this year that has either been exploited or had exploit code in the wild.
- Google's bug bounty boss: Finding and patching vulns? 'Totally useless'
- If you can find and fix this subtle Chromium bug that breaks some extensions, there's $8k waiting for you
- Google updates Chrome to squash actively exploited WebRTC Zero Day
- Google issues third emergency fix for Chrome this year
While Google isn't aware of any exploits for the remaining bugs on today's list, one received a critical-severity rating and it deemed five others high severity.
The Center for Internet Security, which ranked the risk of these Chrome vulnerabilities as "high" for large and medium government agencies and businesses, and "medium" for small government and companies, warned the most severe of the bugs would allow an attacker to execute malicious code "in the context of the logged-on user."
"Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," CIS explained in a security advisory. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights."
In addition to the bug under active exploit, Google detailed nine of the 11 bugs in its update (104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows). These are:
- CVE-2022-2852 (critical): Use after free in FedCM
- CVE-2022-2854 (high): Use after free in SwiftShader
- CVE-2022-2855 (high): Use after free in ANGLE
- CVE-2022-2857 (high): Use after free in Blink
- CVE-2022-2858 (high): Use after free in Sign-In Flow.
- CVE-2022-2853 (high): Heap buffer overflow in Downloads
- CVE-2022-2859 (medium): Use after free in Chrome OS Shell
- CVE-2022-2860 (medium): Insufficient policy enforcement in Cookies
- CVE-2022-2861 (medium): Inappropriate implementation in Extensions API
The Chrome Vulnerability Reward Program paid out at least $29,000 to bug hunters who discovered and reported these flaws.
This included two $7,000 bounties paid to Cassidy Kim of Amber Security Lab for CVE-2022-2854 and CVE-2022-2855; a $5,000 reward to an anonymous person for CVE-2022-2857; another $5,000 to raven at KunLun lab for CVE-2022-2858; $3,000 to Nan Wang and Guang Gong of 360 Alpha Lab for CVE-2022-2859; and $2,000 to Axel Chong for CVE-2022-2860.
In total, Google paid out $8.7 million in rewards to almost 700 researchers across its various VPRs last year. ®
Speaking of patches... We've just seen that Apple has issued macOS 12.5.1, iOS 15.6.1, and iPadOS 15.6.1 updates to address a flaw in the kernel (CVE-2022-32894) that can be abused by an app to gain total control of the Mac or device, and a flaw in WebKit (CVE-2022-32893) that can be exploited to execute arbitrary code.
Someone could thus combine exploitation of the two flaws so that when a victim opens a booby-trapped webpage in a WebKit browser, such as Safari, the page can begin executing arbitrary code to exploit the privilege-escalation flaw to hijack the computer or iThing, and install spyware and other nasties.
And indeed, Apple said it "is aware of a report that this issue may have been actively exploited," so get patching ASAP!