The Indian Computer Emergency Response Team (CERT-In), on June 6, flagged several bugs in Chrome OS and Mozilla products that may put various sensitive data at risk.
Cert-In has published Vulnerability Notes on its Website (06.06.2022)
Multiple Vulnerabilities in Mozilla Productshttps://t.co/EMpJWg9wqZ
Multiple Vulnerabilities in Google Chrome OShttps://t.co/kyVBvuAtcQ
— CERT-In (@IndianCERT) June 6, 2022
In the notes attached, the agency mentioned that the bugs could allow a remote attacker to disclose sensitive information, bypass security restrictions, execute arbitrary code and perform multiple other kinds of attacks on the targeted system. Both Google and Mozilla bugs have been classified as highly severe threats.
Why it matters: Cyber-attacks have been on the rise since the pandemic started with the Ministry of Home Affairs reporting 12 lakh cyber security incidents in 2020 alone. Two common patterns in attacks all over the world are the exploitation of vulnerabilities in web browsers and operating systems. The fact that CERT-In has flagged these bugs in softwares used commonly around the country should prompt a deeper look into other browsers and OSs as well.
Google Chrome OS: CERT-In has flagged eight sensitive bugs in the Google Chrome operating systems prior to the newly released version 96.0.4664.209. If not fixed, these bugs can let an attacker trigger arbitrary code to harm the victim system.
“These vulnerabilities exist in Google Chrome OS due to heap buffer overflow in V8 internalisation; use after free in Sharesheet, Performance Manager, Performance APIs; vulnerability reported in dev-libs/libxml2; Insufficient validation of untrusted input in Data Transfer and Out of bounds memory access in UI Shelf,” the agency said in its report.
The Chrome OS is used to power a range of economic tabs, notebooks and laptops across multiple brands that are popular in smaller towns. CERT-In suggests an update to the May 31 release of the OS to get rid of these loopholes.
Mozilla web browsers: Four different internet browsers developed by Mozilla have been flagged as carrying sensitive bugs that could allow a remote attacker to not only inflict the harms listed above but also allows a launchpad for a denial of service (DoS) attack on the target.
- Firefox iOS versions before 101
- Firefox Thunderbird versions preceding 91.10
- Firefox ESR versions before 91.10
- Firefox desktop versions older than 101 –
“A remote attacker could exploit these vulnerabilities by convincing a victim to open a specially crafted web request,” the report notes. CERT-In asks users to upgrade these browsers to their latest versions in order to get rid of these bugs.
What other measures is CERT-In taking: On April 28, CERT-In issued new cybersecurity directions covering the timeframe for reporting cyber security incidents, maintenance of KYC and transaction information for crypto exchanges and wallets, maintenance of customer details by data centres, cloud services and VPN providers and maintenance of logs in Indian jurisdiction. These directions will become effective later in June.
- CERT-In Wants Cybersecurity Incidents Reported Within 6 Hours
- CERT-In Has A New Vulnerability Disclosure Policy That Doesn’t Spare The Messenger