Govt issues warning for Google Chrome, Apple users

The Centre has warned of multiple Google Chrome vulnerabilities that could allow remote attackers to bypass security restrictions on targeted systems. The warning comes from the Indian Computer Emergency Response Team (CERT-In), which operates under the Ministry of Electronics and Information Technology.

The warning follows a CERT-In advisory for Apple users that warned them against a vulnerability in iOS and iPadOS versions prior to 15.6.1 and macOS Monterey version prior to 12.5.1. The central organisation, in its warning, said it could allow a remote attacker to exploit vulnerabilities by enticing a victim to open a file specially crafted to exploit it.

Apple, Google’s biggest rivals, has also disclosed security vulnerabilities for iPads, iPhones, and Macs that could allow attackers to take control of these devices. The company said it was “aware of a report that this issue may have been actively exploited”, and asked users to update their software. While Apple did not disclose if it had information regarding the extent to which the vulnerabilities had been exploited, the Cupertino-based tech giant has released two security reports.

Are all Google Chrome users hit?
The vulnerability has not affected all Google Chrome users. According to the Centre’s advisory, Google Chrome users running versions before Google Chrome 104.0.5112.101 face the risk. The government has advised users running an older version of Google Chrome to update their browser version.

CERT-In, in its warning, said multiple vulnerabilities had been detected in the Google Chrome browser “which could allow a remote attacker to execute arbitrary code and security restriction bypass on the targeted system”.

“These vulnerabilities exist in Google Chrome due to use after free in FedCM, SwiftShader, ANGLE, Blink, Sign-in Flow, Chrome OS Shell; Heap buffer overflow in downloads, insufficient validation of untrusted input in intents, insufficient policy enforcement in Cookies and inappropriate implementation in extensions API,” it added.

The advisory added that the vulnerability (CVE-2022-2856) was being exploited in the wild. “Users are advised to apply patches urgently,” CERT-In said. Financial Express