Plugging gaps: Vulnerabilities in browsers and how users can dodge them

Google's Chrome browser, older iterations of Apple's iOS and Mac OS operating systems, and some versions of the Android operating system need to be urgently updated and patched.

This week, the Indian Computer Emergency Response Team (CERT-In) has released advisories warning users that Google’s Chrome browser, older iterations of Apple’s iOS and Mac OS operating systems, and some versions of the Android operating system (also from Google) need to be urgently updated and patched. This follows up on advisories and security updates last week from Google and Apple.

The warning from the Indian cyber security agency emphasises the seriousness of the issues. Both companies have not only admitted the existence of vulnerabilities; they have acknowledged there are working exploits of those vulnerabilities. In addition, there are issues with Microsoft’s Edge browser.

Let’s try and unpack these warnings.

What’s the big deal about Chrome and some of Apple’s iOS versions being vulnerable?
 

Chrome is the world’s most popular browser with about 65 per cent of mobile internet surfers and 66 per cent of desktop surfers using it. This means roughly two-thirds of net banking, online shopping, market trading and other financially sensitive activity happens on Chrome. While Edge doesn’t have much market share, it comes bundled free with Windows and some Windows users are lazy enough to use it as their default browser.

Android has the highest mobile market share — well over 70 per cent worldwide and over 95 per cent in India. Apple has the second-highest market share in browsers with Safari (19 per cent) and more importantly, Apple’s iOS holds about 27-28 per cent of mobile operating system market share and about 15 per cent of desktop market share. There’s a fair amount of private personal data passing through iOS.

What is the biggest vulnerability for Chrome?
 

Google has released 11 security fixes for Chrome and admitted that at least one of those vulnerabilities, CVE-2022-2856, has an “exploit in the wild”. CVE-2022-2856 allows for “insufficient validation of untrusted input in Intents”.

Intents are a way to directly launch an app from a website, without downloading the app. Translated from geekspeak, this means CVE-2022-2856 allows some malici­ous apps to be launched directly without the user even needing to download the app and Chrome fails to validate security on such apps. “Exploit in the wild” means some hacker somewhere has found this vulnerability and written a way to exploit it.

What are “use after free” vulnerabilities?
 

Google has detailed the fixes for multiple “use after free” bugs in its Chrome code. “use after free” is jargon for a cunning misuse of memory. Prog­rams allocate chunks of dyna­mic memory (RAM) for their own use, and store data or code there on such designated chunks. However, if it doesn’t need a specific chunk, the memory at that address will actually be freed up. In a “use after free” bug, the program thinks it’s still using that free chunk of memory and a clever hacker might be able to pop malicious code or fraudulent data in that address to fool the program. For example, a banking program might be induced to “transfer cash to xyz account” by exploiting use after free bugs.

What about Apple’s vulnerabilities?
 

Apple has detailed vulnerabilities in iOS, iPad, and macOS Monterey (formerly 15.6.1 and 12.5.1, respectively). These operating sy­stems are vulnerable to “remote code exe­c­ution”, meaning a remote attack could inject code that would run on the affected system.

What should users do?
 

Update, update, update. Update to the latest version of the Chrome browser (if you use Chrome). Google released an update on August 17, which plugs these gaps. Check your browser version — it needs to be 104.0.5112.102.

Apple also released updates plugging the CVE-2022-32893 and CVE-2022-32894 vulnerabilities on August 17 — basically check your OS version and update if it’s vulnerable. Microsoft has also released updates plugging the CVE-2022–26923 vulnerabilities in a security patch. Again, the best thing you can do is update.

Will updating make you safe?
 

It will make you safer but complete safety on the Internet is a fantasy. There may well be other “zero-day” vulnerabilities (zero day being an undiscovered vulnerability).

How are bugs and vulnerabilities found?
 

Curious researchers look for them. Companies offer bounties to hackers who find bugs and report them. It’s often more lucrative to exploit such vulnerabilities than to alert the company. Governments offer bounties as well to hackers to find such vulnerabilities and keep them secret for purposes of surveillance and espionage.