Google Chrome and Chrome OS
Multiple security bugs with high severity ratings were detected in Google Chrome and Chrome OS which could be exploited by remote attackers to bypass security restrictions, access user information, execute arbitrary code, or cause denial-of-service on the targeted systems.
(For insights on emerging themes at the intersection of technology, business, and policy, subscribe to our tech newsletter Today’s Cache.)
CERT-In, (Indian Computer Emergency Response Team), in its vulnerability notes shared that the bugs existed in Google Chrome due to flaws in Overview Mode, inappropriate implementation of full-screen API, insufficient validation of untrusted input in download, and insufficient policy enforcement in CORS.
The exploitation of these bugs in Google Chrome could allow attackers to target the software for Mac, Linux, and Windows users.
In Chrome OS security bugs were detected in Mojo IPC and Blink Media components. And attackers could exploit these vulnerabilities by persuading victims to visit specially crafted websites.
Vulnerabilities in Google Chrome and Chrome OS have been fixed with security updates released over the week.
Adobe products
High-severity security bugs were detected in multiple Adobe products affecting Windows and macOS users.
The security bugs reported in Adobe could allow attackers to execute arbitrary codes, cause memory leaks, gain elevated privileges and even cause denial-of-services on targeted systems.
CERT-In in its vulnerability notes shared that the bugs existed due to problems in Out-of-bounds Read and Write errors, Use after Free errors, Stack-based Buffer Overflow, Heap-based Buffer Overflow, Integer Overflow or Wraparound, NULL Pointer Dereference, Violation of Secure Design Principles and Improper Input Validation.
Adobe has released software updates fixing the security bugs recommending users update their software to avoid exploitation.
Microsoft Windows
Multiple vulnerabilities in different components of Microsoft’s Windows 32- and 64-bit systems were detected over the week.
These vulnerabilities were found to allow attackers to bypass security restrictions, gain elevated privileges, and execute arbitrary codes on the targeted systems.
According to vulnerability notes shared by CERT-In, these bugs existed in Windows Cryptographic Services, Advanced Local Procedure Call, Secure Socket Tunneling, and Windows Layer 2 Tunneling Protocol.
In MS Windows cryptographic services, the security bug was found to exist due to the application not enforcing security restrictions, while in secure socket tunneling it existed due to a race condition. In Windows layer 2 tunneling, however, the bug existed due to a flaw in the component.
CERT-In also shared that these vulnerabilities in Windows could be exploited by attackers by sending specially crafted requests to targeted systems or by sending a maliciously crafted connection request to a RAS server.
Windows has released security updates with bug fixes for the vulnerabilities and users are advised to update their software.
