CERT-In Warns Google Chrome Desktop Users of Critical Vulnerability
The Indian Computer Emergency Response Team (CERT-In) has issued an urgent high-risk alert for Google Chrome users on desktop systems. According to the government’s cybersecurity organization, several vulnerabilities have been discovered in Chrome's code, posing a significant threat to users. If exploited, these flaws could allow remote attackers to execute arbitrary code, potentially taking control of affected systems. CERT-In strongly advises all Chrome users to update their browsers immediately to safeguard their devices.
Details of the Vulnerabilities
CERT-In’s recent advisory (CIVN-2024-0231) has flagged multiple security issues within Google Chrome that could jeopardize user safety. The most alarming risk is that remote attackers could exploit these vulnerabilities to execute arbitrary code. This could allow them to take over an affected device, access sensitive information, install malicious software, or even shut down the system entirely.
What’s Causing the Risk?
The identified vulnerabilities stem from two main issues within Google Chrome’s codebase:
1. Uninitialized Use: This vulnerability occurs when a variable in the program is used before being assigned a specific value. Such a flaw can lead to unpredictable program behaviour, which attackers can manipulate to alter the program’s operations.
2. Insufficient Data Validation in Dawn: Dawn is a WebGPU implementation used by Chrome for rendering graphics. In this case, insufficient data validation means that Chrome doesn’t thoroughly check the data it processes. This oversight could allow unauthorized code to be executed when the browser encounters specially crafted input.
These combined vulnerabilities provide an opportunity for attackers to create malicious requests that, when processed by Chrome, could lead to the execution of arbitrary code on a user’s machine.
Affected Software Versions
The vulnerabilities impact the following versions of Google Chrome:
- For Windows and macOS: Versions before 127.0.6533.88/89
- For Linux: Versions before 127.0.6533.88
Users running these versions are particularly vulnerable and are urged to update their browsers immediately to prevent potential exploitation.