Google is warning of two high-severity use-after-free bugs impacting its Chrome browser for Windows, macOS and Linux. Patches for both vulnerabilities are available, along with fixes for two additional medium-severity flaws.
Google warns the most severe flaws could allow a remote attacker to execute code remotely on a targeted system. Google has released updates for vulnerable desktop versions of its macOS and Linux Chrome browser (109.0.5414.119) and for Windows (109.0.5414.119.120).
There are no reports of exploitation of the flaws and software patches will roll out over the next days and weeks, Google said.
The most severe bug, tracked as CVE-2023-0471, ranks 8.8 out of 10 on the Common Vulnerability Scoring System v3.0 (CVSS v3.0) scale, making it high-severity. The bug was first reported to Google by security researcher Cassidy Kim, with Amber Security Lab on Oct. 19, 2022. The bug earned the researcher a $16,000 bug bounty reward.
The use-after-free vulnerability impacts a relatively new component within the Chrome browser ecosystem called WebTransport, added in Jan. 2022. WebTransport, an API offering low-latency, bidirectional, client-server messaging within the browser, is described by Google as a successor to the similar WebSockets browser component.
“Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” according to a Tuesday Center for Internet Security bulletin on CVE-2023-0471. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.”
A use-after-free vulnerability relates to incorrect use of dynamic memory during program operation. In the case the CVE-2023-0471 flaw, it created an opportunity for a remote adversary to execute a heap corruption via a crafted HTML page.
“By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system or cause a denial of service,” according to an IBM X-Force vulnerability report.
Also a use-after-free bug, CVE-2023-0472 (CVSS 8.8) impacts Google Chrome’s Web Real-Time Communication (WebRTC) component. WebRTC is an open-source component used for browser-to-browser communication, voice calling and video chat.
Like the previous bug, exploitation of CVE-2023-0472 allows a remote attacker to execute arbitrary code on the targeted system, IBM’s X-Force team reported.