CVE-2022-0977 After free in Browser UI in Google Chrome on Chrome OS prior to 99.0.4844.74 allowed a remote attacker to potentially exploit heap corruption.

This issue was addressed by disabling the setting of certain hook functions via a small script. Note: This issue is the same as CVE-2016-5117. Google engineers identified and fixed several issues in the handling of malformed web content. Some of these issues leaked data when incorrectly handled content was visited. Google released a version of Chrome that addresses these issues. All users are encouraged to update to the latest version.

What to do if you are currently using Chrome  56.0.3029.96

If you are currently using Chrome  56.0.3029.96, then you should update to the latest version of Chrome  56.0.3029.98 as soon as possible. These updates address several security issues that were identified by Google engineers, including a remote code execution vulnerability in the handling of malformed web content and data leakage when incorrectly handled content is visited.
Google recommends updating to the latest version of Chrome  56.0.3029.96 or later to mitigate the risks associated with this issue and other related vulnerabilities

Google Chrome prior to 57.0.2987.133

Google Chrome before 57.0.2987.133 allowed attackers to bypass the Same Origin Policy and obtain sensitive information via an IFRAME element referencing an external URL in a crafted HTML document.

Google Dorking Detection

Google Dorking Detection is a search engine that can help businesses locate unindexed content. It uses HTML-based queries to find pages on the web with specific URLs, which are then analyzed for the presence of keywords and other information that can then be used to identify whether or not the site has been indexed by Google.

This tool provides an alternative way to view webpages that are not indexed by Google. Because it uses HTML queries rather than crawling, this search engine may only work in certain circumstances and may not function as intended. Webmasters need to make sure that their content is still usable when using this tool.

CVE-2016-5117

This issue was addressed by disabling the setting of certain hook functions via a small script. Note: This issue is the same as CVE-2016-0977. Google engineers identified and fixed several issues in the handling of malformed web content. Some of these issues leaked data when incorrectly handled content was visited. Google released a version of Chrome that addresses these issues. All users are encouraged to update to the latest version.
NOTE: This issue is the same as CVE-2022-0977.

What to do if you are affected

If you use Chrome, you should update to the latest version for your browser.
1) See if you are affected by one of the following issues:
* CVE-2015-7961 - Google engineers identified and fixed several issues in the handling of malformed web content. Some of these issues leaked data when incorrectly handled content was visited. Google released a version of Chrome that addresses these issues. All users are encouraged to update to the latest version.
* CVE-2016-5117 - This issue was addressed by disabling the setting of certain hook functions via a small script. Note: This issue is the same as CVE-2022-0977. Google engineers identified and fixed several issues in the handling of malformed web content. Some of these issues leaked data when incorrectly handled content was visited
2) If you use Chrome, please update your browser to latest version
3) For more information on this issue, please see https://www.googleapis.com/chrome/components/webview/setEnabledHookFunctions

Timeline

Published on: 07/21/2022 23:15:00 UTC
Last modified on: 08/15/2022 11:16:00 UTC

References

• https://crbug.com/1299225
• https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_15.html
• https://security.gentoo.org/glsa/202208-25
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0977