Google has released the latest version of its Chrome browser, addressing 26 vulnerabilities including eight critical flaws.
Chrome 116 covers updates for various bits of functionality including Offline, V8 engine, Device Trust Connectors, Fullscreen, Network, ANGLE and Skia.
Mike Walters, VP of vulnerability and threat research and co-founder of Action1, highlighted CVE-2023-2312 as one of the most critical vulnerabilities. The use-after-free bug in Offline garnered a $30,000 bug bounty reward from Google.
“The issue stems from the ‘ScheduleDownload’ function that takes a callback. Inside this function, a raw pointer to a WebContents object is passed as a parameter to the callback,” he explained.
“The problem arises from the lack of assurance that the pointer to the WebContents object remains valid when the callback is executed. Consequently, the callback might attempt to access or manipulate an invalid or non-existent WebContents object, resulting in a use-after-free vulnerability.”
Read more on Chrome: Google Releases Chrome Patch to Fix New Zero-Day Vulnerability
Another use-after-free flaw to watch is CVE-2023-4349, which affects Device Trust Connectors and in particular the interaction between the DeviceTrustKeyManager and the ThreadPool.
“In the current implementation, the Device Trust SigningKeyPair, a cryptographic signing-related object, is stored in a unique_ptr within the DeviceTrustKeyManager. However, during the shutdown sequence, the unique_ptr containing the SigningKeyPair is deleted before the ThreadPool,” explained Walters.
“The ThreadPool, responsible for managing and executing tasks, still references the deleted object, potentially leading to a use-after-free bug. This scenario could occur if a task on the ThreadPool requires access to the SigningKeyPair after it has been deleted.”
The security advisory comes after researchers warned last week that threat actors have been attempting to trick users into installing fake updates in order to download malware.
Trellix claimed in a blog post that the end goal was to install a remote administration software tool called NetSupport Manager to remotely control victim machines and steal information.
The campaign was linked to suspected Russian actor SocGholish, although Trellix isn’t 100% sure about its attribution.
Editorial image credit: rafapress / Shutterstock.com