Chrome DevTools was updated to version 6.0.600.0 and now includes a new feature called Chrome Debugger that enables debugging of extension code. Because the feature was still in development, it was enabled by default for unauthenticated remote connections. This enabled an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. The issue was fixed in version 102.0.5005.62.
In addition to the remote debugging feature, Chrome also enabled remote DevTools for all other non-intrinsic extensions. This change in behavior allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. The issue was fixed in version 68.0.3440.75.
CVE-2022-1875
CVE-2022-1875 is a Chrome extension security issue that was fixed in the Chrome 68.0.3440.75 release on April 9, 2018. The remote debugging feature in Chrome DevTools enabled an attacker to exploit heap corruption via crafted HTML page.
The attack vector for this vulnerability is through delivering maliciously crafted web pages that exploit heap corruption to the user's computer system and executing arbitrary code on the underlying operating system of the computer system.
Chrome Debugger enables debugging of extensions, which adds a new avenue for attackers who are able to convince users to install malicious extensions or extensions with vulnerabilities in them to exploit code execution on their target computers. This vulnerability was fixed on April 9, 2018 by updating from version 6.0.600.0 to version 68.0.3440.75
What is DevTools?
Chrome DevTools is a set of tools that allow web developers to easily change, test and debug their websites. It has many features such as the Network Inspector, Timeline, Console, and Sources.
CVE-2001-1802
Google Chrome was updated to version 62.0.3202.62 on September 5, 2018 and now includes a new feature called Chrome Debugger that enables debugging of extension code. Because the feature was still in development, it was enabled by default for unauthenticated remote connections. This enabled an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. The issue was fixed in version 102.0.5005.62 on September 12, 2018.
In addition to the remote debugging feature, Chrome also enabled remote DevTools for all other non-intrinsic extensions. This change in behavior allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. The issue was fixed in version 68.0.3440.75 on September 12, 2018
CVE-2021-1874
Chrome DevTools was updated to version 6.0.600.0 and now includes a new feature called Chrome Debugger that enables debugging of extension code. Because the feature was still in development, it was enabled by default for unauthenticated remote connections. This enabled an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. The issue was fixed in version 102.0.5005.62
In addition to the remote debugging feature, Chrome also enabled remote DevTools for all other non-intrinsic extensions. This change in behavior allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted HTML page. The issue was fixed in version 68.0.3440.75.
Timeline
Published on: 07/27/2022 22:15:00 UTC
Last modified on: 08/15/2022 11:17:00 UTC