chrome vuln

High-risk Chrome vulnerability allows hackers to break into the browser

Google updated its Chrome web browser to fix a total of 8 vulnerabilities, including 4 vulnerabilities rated as high-risk. Three of them are vulnerabilities after the browser is used. The vulnerabilities may cause errors in the browser’s memory, leaving hidden dangers for the host being invaded and the browser being hacked.

Last Friday, the Cyber ​​Security and Infrastructure Security Agency (CISA) issued a security bulletin, urging users and information security administrators to update the application as soon as possible. The agency warned that these vulnerabilities could be used by attackers to control systems affected by the vulnerability.

According to Google’s December security announcement, Google wrote:

The previous Windows, and versions of the Chrome desktop browser are all vulnerable. A new version of the browser will be launched in the next few days or weeks, and the updated version of the 87.0.4280.88 Chrome browser will patch these vulnerabilities.

If you want to manually update the Chrome browser, please visit the Chrome drop-down menu at the top right of the client. Select “Help” in this menu, and then select “About Google Chrome”. Opening this menu item will automatically start the Chrome browser update function.

Google said that the relevant details of each vulnerability will not be disclosed at present, and will not be disclosed until most users are updated and fixed. It also pointed out that if there are vulnerabilities in third-party code bases used by other devices or platforms, the technical details of the vulnerabilities will be limited.

The three high-risk vulnerabilities include re-use vulnerabilities after the release of memory, as well as vulnerabilities in Chrome’s clipboard, media and extension components. These vulnerabilities are numbered CVE-2020-16037, CVE-2020-16038, and CVE-2020-16039.

The fourth high-risk vulnerability (CVE-2020-16040) affects Google’s open source high-performance JavaScript and WebAssembly engine called V8. The vulnerability is believed to be caused by a lack of data verification. In some cases, it provides the possibility of cross-site scripting attacks.

Google’s V8 JavaScript engine also received a second vulnerability this month. This is one of the two mid-risk vulnerabilities reported in December this year. The number is CVE-2020-16042. Use “characteristics.” The specific nature of the vulnerability is still unclear from the announcement issued by Google. However, network security researchers believe that such uninitialized vulnerabilities are “basically negligible” and are generally “considered as trivial memory errors.”

According to a research report published by Georgia Institute of Technology in 2017, these vulnerabilities are actually a very important attack vector that can be well exploited by hackers. They can perform privilege escalation attacks in the kernel.

The second medium-risk vulnerability (CVE-2020-16041) is an “out-of-bounds read in the network” vulnerability. This may allow hackers to improperly access objects in memory. Although the technical details of the CVE have not been published, this type of vulnerability may allow unauthorized hackers to send malicious messages to the software affected by the vulnerability. The target program may crash due to lack of verification of the message.

Google thanked these security researchers for their contributions to this month’s vulnerability identification. Google thanked Ryoya Tsukasaki for discovering the memory release vulnerability in the Chrome clipboard (CVE-2020-16037). The researcher received a $5,000 bug bounty. Khalil Zhani, Lucas Pinheiro, Sergei Glazunov, André Bargull and Mark Brand were also praised by Google for their efforts to find vulnerabilities.