Google Chrome Update With ‘High Severity’ Bug Fixes on Mobiles, Windows, Mac, and Linux Released

Google Chrome has been updated with important security fixes for Google’s browser on smartphones as well as Windows, Mac, and Linux computers. The update fixes a total of ten security vulnerabilities on the popular browser. The updated Chrome browser will be rolled out over the coming days, Google said in an advisory. The company recommends that users should install the update as soon as it is rolled out to their devices. The company, however, restricted itself from revealing full details about the bugs until a majority of users have updated to the latest version. This information will be further withheld if the existence of similar flaws are identified in any third-party libraries that other projects depend on and haven’t yet been addressed through a fix, according to Google.

The search giant lists six out of the ten addressed security vulnerabilities ‘high severity’ bugs, which means that users are advised to apply the updates as soon as possible to prevent their devices from being at risk of exploitation, Google said in its release notes.

The vulnerabilities could allow a remote attacker to exploit ‘heap corruption’ via a crafted HTML page. Memory corruption typically occurs in a computer program due to programming errors, and corrupted memory contents can lead either to program crashes or unexpected behaviour in the affected application.

The first and second heap corruption vulnerabilities are denoted by CVE-2022-3885 and CVE-2022-3886, which represent security flaws in V8, the open-source JavaScript engine that powers Google Chrome and Chromium web browsers, and the Speech Recognition on Google Chrome, respectively.

The third security flaw has been recorded as CVE-2022-3887 and affects Web Workers, a feature allowing scripts to run in the background. Meanwhile, CVE-2022-3888 affects the WebCodecs API on Google Chrome.

Google has also mitigated the CVE-2022-3889 vulnerability in Chrome, which provides the browser’s V8 engine with the wrong code, while CVE-2022-3890 can be used by remote attackers to escape the “sandbox” security measures used to isolate the browser from critical system components, using Crashpad.

Meanwhile, the firm has credited and rewarded external security researchers who responsibly disclosed the vulnerabilities, allowing Google to patch them in time. The company has paid rewards of up to $21,000 (roughly Rs. 17,15,000) to the researchers who discovered them.