CVE-2022-0453 After free in Reader Mode in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption.

CVE-2022-0453 After free in Reader Mode in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to potentially exploit heap corruption.

CVE-2017-15411 had been mitigated in this browser prior to the update. After the update, this vulnerability was re-introduced due to a regression. It was reported that after the update, when opening a maliciously crafted PDF file in Reader Mode in Google Chrome, a user could be redirected to a remote location and be prompted to download and open a malicious file. This issue was resolved in version 98.0.4758.80 of the software. After the update, users are no longer at risk from this vulnerability. - CVE-2017-15412 Google Chrome prior to version 98.0.4 allows remote attackers to bypass the Same Origin Policy by leveraging the plugin API, a different vulnerability than CVE-2017-15413. - CVE-2017-15413 Bypassing the Same Origin Policy in the plugin API in Google Chrome prior to version 98.0.4 allowed remote attackers to read arbitrary files via a crafted HTML request. - CVE-2017-15414 In Google Chrome prior to version 98.0.4, local users can obtain potentially sensitive information about another user’s browsing history via a crafted HTML page. - CVE-2017-15415 Google Chrome prior to version 98.0.4 allows remote attackers to bypass the Same Origin Policy via a crafted HTML document. - CVE-2017-15416 Google Chrome prior to version 98.0.4 allows remote attackers to bypass the Same Origin Policy via a crafted HTML document. - CVE

References ^^ https://www.google.com/chrome/browser/history ^

https://www.google.com/chrome/browser/history

Solution:

To resolve these vulnerabilities, users should update to the latest version of Google Chrome:
- CVE-2017-15411
- CVE-2017-15412
- CVE-2017-15413
- CVE-2017-15414
- CVE-2017-15415

Google Chrome prior to version 98.0.4 allows remote attackers to bypass the Same Origin Policy by leveraging the plugin API, a different vulnerability than CVE-2017.15416.

What to do if you are affected by the vulnerability?

If you are a user of Google Chrome and think that you may be affected by the vulnerability, please refer to the following article for instructions on how to check:
https://support.google.com/chrome/answer/7118522?hl=en&ref_topic=7077Q2HgR
If you continue to have issues after following the instructions in the linked article, please contact our support team at security@google.com.

Check for Software Updates

Every time there is a new version of software, you should check for updates. The latest update of Google Chrome is 98.0.4758.80 and it fixes all security vulnerabilities listed above. Make sure you're running the most updated version so that your computer is safe from any malicious attacks!

Critical changes

Critical changes: The following vulnerabilities have been identified in Google Chrome prior to version 98.0.4 that are classified as critical and should be patched as soon as possible:

- CVE-2017-15413 Bypassing the Same Origin Policy in the plugin API in Google Chrome prior to version 98.0.4 allowed remote attackers to read arbitrary files via a crafted HTML request.
- CVE-2017-15410 In Google Chrome prior to version 98.0.4, local users can obtain potentially sensitive information about another user’s browsing history via a crafted HTML page.
- CVE-2017-15409 In Google Chrome prior to version 98.0.4, local users can gain elevated privileges by leveraging incorrect permissions on an XSLT transform resource stored on a filesystem path containing "admins."

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe