Microsoft isn’t the only one dishing out security updates this week; Google has likewise been busy on that front. As well as fixing its Mojo, Google has also secured its Aura. If that wasn’t enough, it’s done so with a couple of Blinks for good measure.
No, I haven’t been on the festive spirits early; I’m talking about the latest Google Chrome security update for Windows, Mac, Linux, and Android users.
It’s Patch Tuesday week, and that usually means a bunch of vendors push out security updates for their products around the same time and for the same reasons. The likes of Microsoft, Adobe, and Oracle will all release security patches on the second Tuesday of the month so as to allow organizations time to organize their patching schedule. As well as knowing well in advance when these large update instances will drop, Tuesday was chosen to ensure any problems would be apparent before the weekend. Google also often issues security updates for the Chrome web browser at this time, and December has been no exception.
Windows, MacOS, and Linux users will find that an update to Google Chrome version 108.0.5359.124 (some Windows users may see it as version 108.0.5359.125) will reach their desktop versions over the coming days and weeks.
There are a total of eight security issues addressed, of which brief details have only been given for five of them. Four of these are high-severity vulnerabilities, so I shall concentrate on those. As is the norm for Google, no detailed technical descriptions of the vulnerabilities have been made public at this time. This is to ensure that a majority of Google Chrome users can update first and so keep potential attackers on the back foot. I’ll break these down into three categories: Mojo, Aura, and Blink.
CVE-2022-4437 is where fixing Google Chrome’s Mojo comes in. Chrome’s what, you might well be wondering. Sadly, it’s not as exciting as dictionary definitions of the word suggest. There’s no magic spell involved here, nor has it anything to do with sex appeal. Rather, the Mojo in question is a collection of runtime libraries. While it may not be exciting, it is an important part of the Chrome code universe, and any vulnerabilities need to be taken seriously. Which is why Google paid security researchers ‘koocola’ and Guang Gong of the 360 Vulnerability Research Institute a cool $6,000 for disclosing this use after free vulnerability in Chrome Mojo inter-process communication (IPC.)
CVE-2022-4439 is another use after free vulnerability, also high-rated, but this time within Google Chrome’s Aura. Sorry to disappoint once again, but no parapsychology connection here, just the rather boring technical one. According to the Google Chromium user interface platform documentation, Aura “abstracts the Window Manager away from Chromium on Windows, Linux, and Chrome OS.” This vulnerability was reported by a security researcher who wishes to remain anonymous, and the bounty payment has yet to be determined in this case.
Which leaves us with Blink, an open-source browser layout and rendering engine developed by Google and a bunch of other big names. There are two more use after free vulnerabilities impacting Blink, CVE-2022-4436 is a vulnerability in Blink Media, while CVE-2022-4438 is a vulnerability in Blink Frames. Both were disclosed by anonymous researchers, the first being paid a bounty of $7,000 and the second $1,500.
Although Google Chrome will automatically update for most users, this does not apply to everyone. Especially at risk of remaining unpatched against these latest vulnerabilities are those who keep large numbers of tags open and rarely restart their browser. It is therefore recommended that you force an update, which will only take a minute or two at the most.
Make sure your Chrome browser is patched and the update activated
Other web browsers that use the Chromium engine will also require updating, and you should check for these in the likes of Edge, Brave, and Opera in the coming days.
Chrome for Android is updated to version 108.0.5359.128, and this should be available to users on Google Play in the coming few days, if not already. Krishna Govind, a Chrome program manager at Google, confirmed that this contains “the same security fixes as their corresponding desktop release unless otherwise noted.”