The Indian Computer Emergency Response Team (CERT-In) has issued a high-risk warning for users of Google Chrome on desktop systems. In its latest note, the government’s cybersecurity organisation has highlighted multiple vulnerabilities in Google’s web browser that, if exploited, could allow remote attackers to execute arbitrary code on the affected system. The government advisory urges users to immediately update their Chrome browser to protect their systems.

In the latest vulnerability note CIVN-2024-0231, CERT-In has identified multiple vulnerabilities in Google Chrome for Desktop that pose a serious threat to the security of users. The most worrying aspect is the ability of remote attackers to execute arbitrary code on the targeted system. This means that attackers can potentially take remote control of the affected device, access sensitive data, install malicious software or even shut down the system completely.

What causes the risk?

According to the note, the vulnerabilities in question in Google Chrome are primarily due to two specific issues in Google Chrome’s codebase:

1. Uninitialized Use: This vulnerability occurs when a variable in the program is used before it has been assigned a defined value. This can lead to unexpected behavior and can be exploited by attackers to manipulate the operation of the program.

2. Insufficient data validation in Dawn: Dawn is a WebGPU implementation that Chrome uses to render graphics. Insufficient data validation in Dawn means that Chrome does not adequately check the data it processes, which can lead to unauthorized code execution when the browser encounters specially crafted input.

Together, these vulnerabilities create a way for attackers to craft malicious requests that, when processed by Chrome, can lead to the execution of arbitrary code on the victim’s machine.

Affected software

These vulnerabilities affect the following versions of Google Chrome:

– Google Chrome stable channel versions prior to 127.0.6533.88/89 (for Windows and macOS)
– Google Chrome stable channel versions prior to 127.0.6533.88 (for Linux)

Users of these versions are highly vulnerable to attacks exploiting these vulnerabilities.

How to stay safe?

To protect your system from these vulnerabilities, CERT-In recommends taking the following steps:

Update Google Chrome: Make sure your Chrome browser is updated to the latest version. Stable channel versions 127.0.6533.88/89 for Windows and macOS and 127.0.6533.88 for Linux contain the patches needed to fix these vulnerabilities. To update Chrome, go to the browser menu, select “Help” and then “About Google Chrome”. The browser will automatically check for updates and install them.

2. Enable automatic updates: To stay safe from future vulnerabilities, enable automatic updates in Google Chrome. This will ensure that your browser always has the latest security patches.