Application Security , Governance & Risk Management , Incident & Breach Response

CERTs Urge Patching of Google Chrome, Android Flaws

Exploitation May Lead to DoS, Data Privacy Breach, RCE Attacks
CERTs Urge Patching of Google Chrome, Android Flaws
CERTs say to patch Chrome and Android flaws now.

Several global Computer Emergency Response Teams have issued alerts as well as fixes for Google Chrome browser and Android operating system vulnerabilities.

Countries issuing the alerts include France, India and Canada.

Google Chrome Vulnerabilities

The Canadian Center for Cyber Security, in its advisory, says that all Chrome for desktop versions prior to 98.0.4758.80 are vulnerable to all flaws reported by the technology giant.

Google Chrome, in its Chrome release update, says that a total of 27 security fixes, including 10 high-, 14 medium- and 3 low-severity vulnerabilities, have been made. Of these, 19 vulnerabilities were disclosed by external security researchers, while the rest were found by internal researchers during "internal audits, fuzzing and other initiatives."

The vulnerabilities in Google Chrome browser and OS can be used by a threat actor to execute arbitrary code, according to CERT-In. These vulnerabilities exist due to the following conditions:

High-Severity Flaws

Medium-Severity Flaws

Low-Severity Flaw

The latest stable channel update of Chrome for desktop includes fixes for all operating systems and the following version numbers: Windows (98.0.4758.80/81/82), Mac and Linux (98.0.4758.80).

Google Chrome says that a complete roll-out for all OS versions will be completed in coming days.

Android Vulnerabilities

A total of 37 vulnerabilities, ranging from critical to high severity, have been noted by Android in its latest security patch update. Successful exploitation of these vulnerabilities allows a threat actor to exfiltrate sensitive data, escalate privileges and cause a denial of servicecondition on the targeted system.

The vulnerabilities affect various frameworks and components of Android, including Framework, Media Framework, System, Google Play system updates, Amlogic, Mediatek, Unisoc, Qualcomm, and Qualcomm closed-source components. Android says that the vulnerabilities affect only versions 10, 11 and 12.

Of all the vulnerabilities, Android rates CVE-2021-39675 as the most critical one because it provides remote escalation of privileges and does so without any user interaction.

Android lists the vulnerabilities in the security patch update at two separate security patch levels, "so that Android partners have the flexibility to fix a subset of vulnerabilities that are similar across all Android devices more quickly," it says. All partners, however, are encouraged to apply both security patch levels as soon as possible.

Immediate Action Required

"Consumers need to take immediate action when software suppliers provide fixes to issues that can be exploited without user intervention or have been classified as of high or critical importance," John Goodacre, director of U.K. Research and Innovation’s Digital Security by Design, tells ISMG.

"This is especially true as hackers may already be exploiting the issue and if not, the release of the patch can give hackers insight on how to exploit it," the professor of computer architectures at the University of Manchester says.

"Until our devices are built using future by-design security technologies, all users of software need to react to such updates at the earliest opportunity. We often hear about users delaying updates, for example in responding to the Log4j disclosure, and how they are still suffering from attacks. We surely don't want a repeat of that," Goodacre says.

Alan Calder, CEO of IT risk management solutions provider GRC International Group, says there is never a good reason to delay deploying patches. "There is only a risk calculation," he says, "that being: What is the benefit of delay versus what is the impact of being breached?"

About the Author

Mihir Bagwe

Mihir Bagwe

Principal Correspondent, Global News Desk, ISMG

Bagwe previously worked at CISO magazine, reporting the latest cybersecurity news and trends and interviewing cybersecurity subject matter experts.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.