Google, Apple squash exploitable browser bugs

Google has issued 11 security fixes for desktop Chrome, including one bug that has an exploit for it out in the wild.

That high-severity vulnerability, tracked as CVE-2022-2856, is an improper input validation bug, and as per usual, Google doesn’t release many details about it until the bulk of Chrome users are updated and the code is fixed.

In an advisory, the internet giant described the flaw as “insufficient validation of untrusted input in Intents,” and noted that it “is aware that an exploit for CVE-2022-2856 exists in the wild.”

Chrome Intents can be used to launch apps from webpages and pass data to those applications.

Sophos security researchers note that Google didn’t provide any details about how this functionality can be manipulated to compromise a user’s device. “The danger seems rather obvious if the known exploit involves silently feeding a local app with the sort of risky data that would normally be blocked on security grounds,” Sophos’s Paul Ducklin added.

Googlers Ashley Shen and Christian Resell, both part of the Threat Analysis Group, reported the vulnerability on July 19. 

This is the fifth Chrome bug Google has fixed this year that has either been exploited or had exploit code in the wild.

While Google isn’t aware of any exploits for the remaining bugs on today’s list, one received a critical-severity rating and it deemed five others high severity.

The Center for Internet Security, which ranked the risk of these Chrome vulnerabilities as “high” for large and medium government agencies

Read more

Explore the site

More from the blog

Latest News