Jump to content

Make sure you update Google Chrome!! YOU ARE AT RISK

BeefYT

By BeefYT
in Technology

 Share

Recommended Posts

  • Popular Post
BeefYT Explorer

BeefYT

Posted
  • Popular Post
Posted

Couple days ago Google released an emergency security update for Google Chrome after another Zero Day exploit was published. 

If you wish to research a bit more on what the vulnerability is you can search CVE-2022-4135. This is the 8th Zero Day this year. 

 

The security risk: 
Attackers are able to execute and manipulate the file path that Chrome takes. This can lead to memory leaks and potential for Remote Code Execution which can lead to your entire system being exploited. 

 

These are the chrome versions you want to be at now: 
version 107.0.5304.121 for macOS and Linux

version 107.0.5304.121/.122 for Windows

 

If you are running any other browser you are advised to make sure they are updated which most will over the next week. 

 

Attackers will take advantage of this exploit it's incredibly easy to execute. 

 

I have tinkered with the vulnerabilty a little bit to see what it does and it took me 10 minutes to own another machine on my local network. This vulnerability is classed as being actively exploited.

 

Updating: 

Chrome on the top right hand corner will display an update symbol click it and update.

 

Make sure you have automatic updates on. This is googles quick fix release. Another vulnerabilty will more than likely come up in the next week or so. 

 

 

If i get hold of any more information ill post it here. 

 

 

Beef

Offensive Cyber Security Engineer & Penetration Tester

  • Like 7
  • Thanks 8
  • Leader
RedBaird Grand Master

RedBaird

Posted
  • Leader
Posted (edited)

I clicked on the About Chrome in Settings and it did this:

 

Updating Chrome (66%)
Version 107.0.5304.107 (Official Build) (64-bit)
 
Then it did :
 
Nearly up to date! Relaunch Chrome to finish updating.
Version 107.0.5304.107 (Official Build) (64-bit)
 
They gave me a slightly different version from the 
 
"version 107.0.5304.121/.122 for Windows" in @BeefYT's post.   I have Windows 10 pro, version 10.0.19044 Build 19044.
 
 
Edited by RedBaird
versions
BeefYT Explorer

BeefYT

Posted
  • Author
Posted
2 minutes ago, RedBaird said:

I clicked on the About Chrome in Settings and it did this:

 

Updating Chrome (66%)
Version 107.0.5304.107 (Official Build) (64-bit)

Hello mate, 

After that update. You may get another pop up for the update. You are quite a way behind and .107 

 

Best thing to do is turn on auto updating. ALT + F4 while on Chrome. 

CTRL + ESC (Task manager) 

Scroll through processes make sure you have completely killed Chrome. 

Restart Chrome. The Boot up script will execute which triggers auto update scripts. 

 

  • Leader
RedBaird Grand Master

RedBaird

Posted
  • Leader
Posted

I got the update and closed Chrome.

 

The TaskManager | Processes only shows Google Crash Handlers running right now.  ( I have a TaskManager link on the Taskbar, just so I can "look at stuff".) 

 

Starting Chrome up again gave me the same 'updated' version as above.

 

Hmmm : " Chrome checks for new updates regularly, and when an update is available, Chrome applies it automatically when you close and reopen the browser. "

  • Leader
RedBaird Grand Master

RedBaird

Posted
  • Leader
Posted (edited)
15 hours ago, BeefYT said:

CVE-2022-4135.

 

Are You Kidding Me? 😄  "Heap buFFer overflow in the GPU?"  OMG+LMAO!

 

Quote


NVD - CVE-2022-4135
Description Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page

 

Edited by RedBaird
buffer, not buTTer!
  • Haha 2
BeefYT Explorer

BeefYT

Posted
  • Author
Posted

Yeah... For this day and age for a overflow exploit to still work is shocking. People will take advantage of it was just lucky Google actually picked it up first rather than someone else. 

 

Well thats as far as we are aware someone may have known about it and just kept quiet. Every hacker has a card up his sleeve. 

  • Like 2
Snuffs99 Proficient

Snuffs99

Posted
Posted
4 hours ago, RedBaird said:

 

Are You Kidding Me? 😄  "Heap butter overflow in the GPU?"  OMG+LMAO!

 

 

 

 

😄😄 😄 

 

LMFAO, should have gone specsavers mate....... its buFFer not buTTer

  • Like 1
  • Thanks 1
  • Senior Member
Vindstot Veteran

Vindstot

Posted
  • Senior Member
Posted

I dont use Chrome (only very rarely), but I also did the update

 

Thanks for the warning!

  • Like 1
BeefYT Explorer

BeefYT

Posted
  • Author
Posted (edited)
7 hours ago, Vindstot said:

I dont use Chrome (only very rarely), but I also did the update

 

Thanks for the warning!

It's incredibly likely that other browsers will be effected by it. Just be a case of different vectors and paths compared to Chrome.

 

None the less it's why its so important to just update everything consistantly. 

 

And if the dev no longer supports it get shot of it. 

Edited by BeefYT
  • Like 2
  • Leader
RedBaird Grand Master

RedBaird

Posted
  • Leader
Posted
21 hours ago, RedBaird said:

potentially perform a sandbox escape via a crafted HTML page

 

"What is the difference between a sandbox and a sandbox escape?

 

The computer that houses the sandbox (with guest) is called the host. A sandbox escape is any type of exploit that allows the guest process to break free of the constraints of the sandbox, and access the host and/or outside world resources directly. The sandbox provides a constrained interface (shell) for the guest to operate in."  

 

// An untrusted process 'breaks out of jail' and can then cause damage to the wider world inside the computer system. //

  • Like 1
GHARIB Grand Master

GHARIB

Posted
Posted (edited)
39 minutes ago, RedBaird said:

The computer that houses the sandbox (with guest) is called the host. A sandbox escape is any type of exploit that allows the guest process to break free of the constraints of the sandbox, and access the host and/or outside world resources directly. The sandbox provides a constrained interface (shell) for the guest to operate in."  

 

It has been the case this year with Firefox / Firebird

The  vulnerability  CVE-2022-1529 (before version < 100.0.2  / <100.3 for android / < 91.9.1 for Thunderbird)

I can't share here the details because not disclosed and not the right place 😛

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. 🤢

 

We call this "Javascript sandbox-escape vulnerabilities "

 

54 minutes ago, BeefYT said:

None the less it's why its so important to just update everything consistantly. 

 

Yes!

Don't listen some "lazy" IT guys who sometimes advice people to not update the devices yet and wait longer to check if the update "works nicely".....

 

NO!

 

A simple device should be ALWAYS updated immediately.

 

A system or network admin should also always look for patches and the impact on their networks.

 

When an UPDATE is available, it is because a security researcher has found vulnerabilitie(s).

 

Sometimes we feel ourselves in security, and we say "why someone would do this to me?"

But trust me, the whole web is grabbed, each device connected and incorrectly configured or not updated could be compromised.

 

Edited by GHARIB
  • Like 4
BeefYT Explorer

BeefYT

Posted
  • Author
Posted
43 minutes ago, GHARIB said:

It has been the case this year with Firefox / Firebird

The  vulnerability  CVE-2022-1529 (before version < 100.0.2  / <100.3 for android / < 91.9.1 for Thunderbird)

I can't share here the details because not disclosed and not the right place 😛

An attacker could have sent a message to the parent process where the contents were used to double-index into a JavaScript object, leading to prototype pollution and ultimately attacker-controlled JavaScript executing in the privileged parent process. 🤢

 

We call this "Javascript sandbox-escape vulnerabilities "

 

 

Yes!

Don't listen some "lazy" IT guys who sometimes advice people to not update the devices yet and wait longer to check if the update "works nicely".....

 

NO!

 

A simple device should be ALWAYS updated immediately.

 

A system or network admin should also always look for patches and the impact on their networks.

 

When an UPDATE is available, it is because a security researcher has found vulnerabilitie(s).

 

Sometimes we feel ourselves in security, and we say "why someone would do this to me?"

But trust me, the whole web is grabbed, each device connected and incorrectly configured or not updated could be compromised.

 

 

Why we make money mate and quite a bit for it because people will comprimise anything and everything in this day and age to make money. 

  • Like 3
BeefYT Explorer

BeefYT

Posted
  • Author
Posted

Chrome have launched another update to properly patch CVE-2022-4135. 

 

Make sure you update and you are on version: .123 for windows or .122 for macOS and Linux. 

 

PS: That should be the end for CVE-2022-4135 until about 2-3 months time when .123 is vulnerable... 

  • Like 1
  • Leader
RedBaird Grand Master

RedBaird

Posted
  • Leader
Posted
22 minutes ago, BeefYT said:

version: .123 for windows

 

My Windows 10 Chrome just updated to "Version 108.0.5359.95 (Official Build) (64-bit)"

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

About Us

We are glad you decided to stop by our website and servers. At Fearless Assassins Gaming Community (=F|A=) we strive to bring you the best gaming experience possible. With helpful admins, custom maps and good server regulars your gaming experience should be grand! We love to have fun by playing online games especially W:ET, Call of Duty Series, Counter Strike: Series, Minecraft, Insurgency, DOI, Sandstorm, RUST, Team Fortress Series & Battlefield Series and if you like to do same then join us! Here, you can make worldwide friends while enjoying the game. Anyone from any race and country speaking any language can join our Discord and gaming servers. We have clan members from US, Canada, Europe, Sri Lanka, India, Japan, Australia, Brazil, UK, Austria, Poland, Finland, Turkey, Russia, Germany and many other countries. It doesn't matter how much good you are in the game or how much good English you speak. We believe in making new friends from all over the world. If you want to have fun and want to make new friends join up our gaming servers and our VoIP servers any day and at any time. At =F|A= we are all players first and then admins when someone needs our help or support on server.

Player Gaming Stats for =F|A= Servers.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.

  I accept