The Computer Emergency Response Team (CERT-In) of the Indian government has flagged several vulnerabilities in Google Chrome and Mozilla products. According to CERT-In, these vulnerabilities gave the hackers access to the users’ sensitive data by allowing them to execute arbitrary codes by bypassing all the security mechanisms in place.
Google Chrome OS versions before 96.0.4664.209 contained vulnerabilities marked as high-risk by CERT-In. Vulnerabilities in this criteria are labeled under CVE-2022-1633, CVE-202-1636, CVE-2021-43527, CVE-2022-1489, CVE-2022-1859, CVE-2022-1867, and CVE-2022-23308 by Google.
In the case of Mozilla, CERT-In has detected and flagged bugs present in the Mozilla Firefox Thunderbird versions before 91.10, Mozilla Firefox iOS versions before 101, Mozilla Firefox versions before 101, and Mozilla Firefox ESR versions before 91.10.
Google acknowledged the bugs and later reported to have fixed them. The company also requested the users to update Chrome OS to the latest version to steer clear of those bugs. Similarly, Mozilla urged its users to download the latest versions, namely Mozilla Firefox iOS 101, Mozilla Firefox Thunderbird version 91.10, Mozilla Firefox ESR version 91.10, and Mozilla Firefox 101 to avoid the vulnerabilities.
According to CERT-In, these vulnerabilities posed a significant threat to the security and privacy of the users by allowing the hackers to start a denial-of-service (DoS) attack. The bugs also allowed the hackers to disclose sensitive information, break security restrictions, execute arbitrary codes, and inflict spoofing attacks.
While explaining the vulnerabilities, CERT-In said that the bugs in Chrome OS are due to heap buffer overflow in V8 internalization, sharesheet, performance manager, and performance APIs. CERT-In added that the bugs reported in dev-libs/libxml2, insufficient validation of untrusted input in data transfer, and out of bounds memory access in UI Shelf contributed to the vulnerabilities.