Google has just confirmed the second clutch of security updates for the Chrome browser in July. Version 103.0.5060.134 for all Windows, Mac, and Linux users will become available in the coming days. While this update will roll out automatically, users who don't restart their browser regularly are advised to check manually and force the security patch activation.
July 22 Update below. This post was originally published on July 20
As I reported earlier in the month, a zero-day Chrome vulnerability was confirmed by Google as being actively exploited by attackers. That vulnerability was CVE-2022-2294 and very little detail was released about it for obvious reasons. Now that there has been plenty of time for users to apply the fix, in the form of the first Google Chrome security update for July, that detail has started to emerge courtesy of the threat researchers at Avast who discovered it. In a newly published report, the researchers reveal how the vulnerability was used by attackers targeting users in the Middle East, in particular journalists in Lebanon.
The Avast researchers say that they can "confidently attribute it to a secretive spyware vendor" which they name as Candiru. A year ago, almost to the day, Citizen Lab research claimed that Candiru was "a mercenary spyware firm that markets 'untraceable' spyware to government customers. Their product offering includes solutions for spying on computers, mobile devices, and cloud accounts." Avast says Candiru had laid low following the publication of this research but, in March 2022, researchers had seen it come back with tools targeting Avast users, once again in Lebanon as well as Palestine, Turkey, and Yemen. Those tools used a zero-day for Google Chrome.
Avast reports how the zero-day was designed to target Chrome users on the Windows platform, because it used a WebRTC bug it also impacted Microsoft Edge and even Apple Safari. All versions of Chrome have since been patched.
This, if you really needed reminding, is a good reason to ensure you don't hang around installing these security updates for Chrome. With billions of users spread across multiple platforms, it is a very profitable target for malicious actors. As stated above, while your browser will automatically download new updates once they are available to it, these won't activate until you restart the browser.
Update your Google Chrome browser ASAP
In total, this update to Chrome 103.0.5060.134 fixes 11 security issues. Five of these were discovered by internal security audits and 'fuzzing' which is an automatic process looking for exceptions when providing unexpected or random inputs. The remaining six issues are vulnerabilities uncovered by security researchers. Unlike the first Chrome update this month, none are zero days where attackers are known to be already exploiting them in the wild. It would also appear that there are no security fixes in the Android Chrome update announced at the same time.
Check the version number to ensure Google Chrome is secure
Five of the six vulnerabilities are rated as high impact, with the sixth being a low impact issue. In total, $33,500 in bug bounties was awarded to the researchers who disclosed the vulnerabilities. Some $23,000 of this went to just two researchers, one of which, surprisingly, was for that low-impact vulnerability.
As usual, there is little detailed information available currently. Google sensibly withholds this until such a time as a majority of the userbase has had the opportunity to update. Here's what we do know: