On March 29, 2022, Google released its 100th version of Chrome where major features have been introduced such as a new logo, security improvements, development features, and more.
The Chrome 100 also fixes the 28 security vulnerabilities with nine being marked as ‘High’ severity. It can be recalled that on March 25, Google has released version 99.0.4844.84 to fix a zero-day vulnerability tracked as CVE-2022-1096 that is being actively exploited in the wild.
______________________________
A. List of Vulnerabilities
| CVE-2022-1096 | High | Type Confusion in V8. |
| CVE-2022-1125 | High | Use after free in Portals. |
| CVE-2022-1127 | High | Use after free in QR Code Generator. |
| CVE-2022-1128 | High | Inappropriate implementation in Web Share API. |
| CVE-2022-1129 | High | Inappropriate implementation in Full Screen Mode. |
| CVE-2022-1130 | High | Insufficient validation of untrusted input in WebOTP. |
| CVE-2022-1131 | High | Use after free in Cast UI. |
| CVE-2022-1132 | High | Inappropriate implementation in Virtual Keyboard. |
| CVE-2022-1133 | High | Use after free in WebRTC. |
| CVE-2022-1134 | High | Type Confusion in V8. |
| CVE-2022-1135 | Medium | Use after free in the Shopping Cart. |
| CVE-2022-1136 | Medium | Use after free in Tab Strip. |
| CVE-2022-1137 | Medium | Inappropriate implementation in Extensions. |
| CVE-2022-1138 | Medium | Inappropriate implementation in Web Cursor. |
| CVE-2022-1139 | Medium | Inappropriate implementation in Background Fetch API. |
| CVE-2022-1141 | Medium | Use after free in File Manager. |
| CVE-2022-1142 | Medium | Heap buffer overflow in WebUI. |
| CVE-2022-1143 | Medium | Heap buffer overflow in WebUI. |
| CVE-2022-1144 | Medium | Use after free in WebUI. |
| CVE-2022-1145 | Medium | Use after free in Extensions. |
| CVE-2022-1146 | Low | Inappropriate implementation in Resource Timing. |
______________________________
B. Actions to be Taken
CERT-PH recommends the following actions be taken:
- Users and administrators are urged to update their Google Chrome version to the latest version.
- Proactively monitor and secure identified systems and devices for any suspicious/malicious activities.
- In addition, providing and capacitating employees with cybersecurity knowledge and information to minimize the attack surface.