Multiple Vulnerabilities in Google Chrome for Android and Chrome OS Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2022-064

DATE(S) ISSUED:

05/10/2022

OVERVIEW:

Multiple vulnerabilities have been discovered in Google Chrome for Android and Chrome OS, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Chrome OS is a proprietary Linux-based operating system designed by Google. It is derived from the open-source Chromium OS and uses the Google Chrome web browser as its principal user interface. Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the application.

THREAT INTELLIGENCE:

There are currently no reports that these vulnerabilities are being exploited in the wild.

SYSTEMS AFFECTED:

  • Google Chrome for Android versions prior to 101.0.4951.61
  • Chrome OS versions prior to 101.0.4951.59

RISK:

Government:
Large and medium government entitiesHIGH
Small governmentHIGH
Businesses:
Large and medium business entitiesHIGH
Small business entitiesHIGH
Home Users:
LOW

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Chrome for Android and Chrome OS, the most severe of which could allow for arbitrary code execution. Details of the vulnerabilities are as follows:

  • Chrome for Android
    o Use after free in Sharesheet (CVE-2022-1633)
    o Use after free in Browser UI (CVE-2022-1634)
    o Use after free in Permission Prompts (CVE-2022-1635)
    o Use after free in Performance APIs (CVE-2022-1636)
    o Inappropriate implementation in Web Contents (CVE-2022-1637)
    o Heap buffer overflow in V8 Internationalization (CVE-2022-1638)
    o Use after free in ANGLE (CVE-2022-1639)
    o Use after free in Sharing ( CVE-2022-1640)
    o Use after free in Web UI Diagnostics (CVE-2022-1641)
  • Chrome OS
    o Heap Use-after-free in Window Manager
    o Use after free in Chrome OS shell.
    o Heap buffer overflow in Window Manager.
    o Use-after-free in file selection dialog
    o Use-after-free in PPD file selection dialog
    o Use-after-free in file selection dialog
    o Buffer overflow in Shelf
    Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the application.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply the stable channel update provided by Google to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

Get Email Updates When Cyber Threats Like This Arise

Subscribe to Advisories