Security Advisory: Chrome Vulnerabilities Allow Code Execution

25th May 2022 | Advisory, Blog Security Advisory: Chrome Vulnerabilities Allow Code Execution


google chrome security advisory

CyberHoot Vulnerability Alert Management Process Rating (VAMP): Critical/Red May 25th, 2022: CyberHoot has learned of multiple Google Chrome Web Browser vulnerabilities that could allow for arbitrary code execution. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser. Depending on the privileges associated with the application, an attacker could view, change, or delete data. CyberHoot is releasing this advisory because we’re concerned about expected hacker attacks leading up to the Memorial Day long weekend in the US.

Google Chrome Vulnerabilities

Google rates vulnerabilities as critical if they allow an attacker to run arbitrary code on the underlying platform with the user’s privileges in the normal course of browsing.

This update patches the critical vulnerability listed as CVE-2022-1853: Use after free in Indexed DB.

Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program.

IndexedDB is a low-level Application Programming Interface (API) for client-side storage of significant amounts of structured data, including files. This API uses indexes to enable high-performance searches of this data. While Document Object Model (DOM) Storage is useful for storing smaller amounts of data, IndexedDB provides a solution for storing larger amounts of structured data.

Each IndexedDB database is unique to an origin (typically, this is the site domain or subdomain), meaning it should not be accessible by any other origin.

What Should You Do?

If your business deploys Chrome to your users you should update to version 101.0.4951.41 as soon as possible.

The easiest way to update Chrome is to allow it to update automatically, which uses the same method as outlined below but doesn’t need you to do anything. But you can end up blocking automatic updates if you never close the browser, or if something goes wrong, such as an extension stopping you from updating the browser.

So, it doesn’t hurt to check now and then. And now would be a good time, given the severity of the vulnerabilities listed.

One method is to have Chrome open the page chrome://settings/help which you can also find by clicking Settings > About Chrome.

If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is relaunch the browser in order for the update to complete.

You have a Vulnerability Alert Management Process, right?

If you’re a subscriber to CyberHoot’s services, you’ll have access to our Policy and Process library which contains the vulnerability alert management process document. This document prescribes how to respond to situations like this and in what time frame. If your company has not yet adopted a VAMP-like process, now is a great time to get started.

Sources
CISecurity

MalwareBytes

Zero Day – Cybrary Term

Secure your business with CyberHoot Today!!!


Sign Up Now

Latest Blogs

Stay sharp with the latest security insights

Discover and share the latest cybersecurity trends, tips and best practices – alongside new threats to watch out for.

Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

Apple Alert: Critical AirPlay Vulnerabilities Expose Millions to Cyber Threats

A recent discovery by cybersecurity firm Oligo Security has unveiled a series of critical vulnerabilities in...

Read more
CyberHoot Newsletter – May 2025

CyberHoot Newsletter – May 2025

Welcome to CyberHoot's May Newsletter! This month, we're spotlighting key developments in the cyber threat...

Read more
Cybersecurity Advisory: Hackers Exploit Zoom’s Remote Control Feature

Cybersecurity Advisory: Hackers Exploit Zoom’s Remote Control Feature

A newly uncovered cyberattack campaign is exploiting Zoom’s Remote Control feature to infiltrate the systems...

Read more