Google has confirmed two new high-rated security vulnerabilities affecting Chrome, prompting yet another update since the release of Chrome 81 on April 7. These new security threats could enable an attacker to take control of an exploited system, which is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has advised users to apply that update now.
What are the latest Chrome security vulnerabilities?
According to the update notice from Google Chrome technical program manager, Prudhvikumar Bommana, and published April 27, the two security vulnerabilities were reported by Zhe Jin from Qihoo 360. One of these, CVE-2020-6462, a use-after-free error in the Chrome task scheduling functionality, earned Jin a $10,000 (£8,000) reward.
The other vulnerability, CVE-2020-6461, was also of the use-after-free variety but this time was affecting storage.
How can these Chrome threats be exploited?
As is always the case, the full details of these vulnerabilities have not yet been made public in order to ensure as many users as possible can mitigate the risk posed before full disclosure is made.
All that we know so far is that both vulnerabilities are of the use-after-free variety, which is where an attempt to access memory after it has been freed elsewhere so as to execute arbitrary code. In the case of CVE-2020-6461, the use-after-free vulnerability exists in storage. To exploit this, an attacker would have to create a malicious web page and convince the user to visit it. CVE-2020-6462 exists within task scheduling but would require the same exploit methodology for an attacker to execute arbitrary code.
The result is the same for both scenarios: an attacker could compromise and take control of the target system.
What should you do now?
The good news is that, at the time of writing, I have not been able to find any evidence that either of these vulnerabilities is being actively exploited by threat actors. Which doesn’t mean they won’t be as more detail emerges.
The even better news is that Google has mitigated the risk with an update taking Chrome to version 81.0.4044.129, the update that CISA encourages all users of Chrome for Windows, Mac and Linux to make.
Google has said that this update will roll out to all users “over the coming days and weeks,” but as always, I’m inclined to be proactive and recommend triggering the update manually.
You can do this simply by going to Help|About Google Chrome, which will reveal the version you have installed and trigger an update check. Once the latest version has been installed, restart your browser, and you will be protected against both security threats.