Important Notice: Security vulnerabilities of Google Chrome
重要通知 : 關於 Google Chrome 產品的安全漏洞通告
資訊安全警示 Information Security Alert
To: All Users
As informed by the Cybersecurity Incident Alert and Response Centre (CARIC), Google have recently issued a security vulnerability notice about Chrome. Attackers can use this vulnerability to trigger the execution of arbitrary code on the target system. There are signs that related vulnerabilities have been exploited recently. Please be reminded to to update as soon as possible.
Related vulnerabilities
- CVE-2023-0696
Due to the type confusion vulnerability in Google Chrome’s V8 engine, attackers can perform corruption through HTML pages.
- CVE-2023-0697
Due to faulty implementation of full-screen mode in Android version of Google Chrome, attackers could trick security mechanisms with HTML pages.
- CVE-2023-0698
Due to the out-of-bounds read vulnerability in WebRTC in Google Chrome, attackers can perform out-of-bounds memory read through HTML page.
- CVE-2023-0699
Due to the Use-After-Free weakness in the GPU in Google Chrome, attackers can perform corruption through HTML pages and browser shutdowns.
- CVE-2023-0700
Due to improper implementation of Google Chrome when downloading, attackers can use HTML pages to spoof the content of the URL bar.
- CVE-2023-0701
Due to the buffer overflow vulnerability in Web UI in Google Chrome, attackers can perform corruption by convincing the victim to participate in a specific UI interaction.
- CVE-2023-0702
Due to the type confusion weakness in data transfer in Google Chrome, attackers can perform corruption by tricking victims to participate in specific UI interactions.
- CVE-2023-0703
Due to the type confusion weakness in DevTools in Google Chrome, attackers can perform corruption by tricking victims to participate in specific UI interactions.
- CVE-2023-0704
Due to the poor policy enforcement in DevTools in Google Chrome, attackers can bypass the same-origin policy and proxy settings through HTML pages.
- CVE-2023-0705
Due to integer overflow vulnerability in the core of Google Chrome, attackers can perform corruption via HTML pages.
Affected Products:
- Google Chrome version lower than 110.0.5481.77 (Linux and Mac) and 110.0.5481.77./78 (Windows)
For more details, please refer to: https://chromereleases.googleblog.com/2023/02/stable-channel-update-for-desktop.html
Mitigation
If the above-mentioned affected products are being used, please update the Google Chrome as soon as possible.
Reference
- How to download and install software in a secure manner?
- Basic Knowledge of Online Safety and Security
- Other Information Security Tips
Should you have any enquiries, please feel free to contact ICTO Help Desk.
ICTO Help Desk
Location : Room 2085, 2/F, Central Teaching Building (E5), eMap
Telephone : 8822 8600
email : icto.helpdesk@um.edu.mo
Information and Communication Technology Office
各位用戶:
資訊及通訊科技部接獲網絡安全事故預警及應急中心的通知,Google官方 近日發出有關於 Chrome 瀏覽器的多個安全漏洞通告。攻擊者利用這些漏洞可以造成目標系統的内存溢出,繼而洩露資訊或遠端執行任意程式碼。倘有使用上述受影響產品,請儘快對系統作出更新,以免被入侵。
相關漏洞詳情
- CVE-2023-0696
由於Google Chrome的V8引擎存類型混淆漏洞,攻擊者可以通過精心製作的HTML頁面進行堆破壞。
- CVE-2023-0697
由於Android版本的Google Chrome中全屏模式下的錯誤實施,攻擊者可以通過精心製作的HTML頁面欺騙保安機制。
- CVE-2023-0698
由於Google Chrome中的WebRTC存在越界讀取弱點,攻擊者可以通過精心製作的HTML頁面進行越界内存讀取。
- CVE-2023-0699
由於Google Chrome中的GPU存在Use-After-Free弱點,攻擊者可以通過精心製作的HTML頁面和瀏覽器關閉進行堆破壞。
- CVE-2023-0700
由於Google Chrome在下載時存在不當的實施,攻擊者通過精心製作的HTML頁面以達到欺騙URL欄内容的目的。
- CVE-2023-0701
由於Google Chrome中的WebUI存在堆緩存區溢出的弱點,攻擊者通過説服受害者參與特定的UI交互進行堆破壞。
- CVE-2023-0702
由於Google Chrome在數據傳輸中的類型混淆弱點,攻擊者通過誘騙受害者參與特定的UI交互進行堆破壞。
- CVE-2023-0703
由於Google Chrome在DevTools中的類型混淆弱點,攻擊者通過誘騙受害者參與特定的UI交互進行堆破壞。
- CVE-2023-0704
由於Google Chrome在DevTools中的政策執行不力,攻擊者通過精心製作的HTML頁面繞過同源策略和代理設置。
- CVE-2023-0705
由於Google Chrome核心中存在整數溢出弱點,攻擊者通過精心製作的HTML頁面進行堆破壞。
受影響版本為:
-
Google Chrome 版本低於 110.0.5481.77 (Linux和Mac),110.0.5481.77./78 (Windows)
有關詳情可參考:https://chromereleases.googleblog.com/2023/02/stable-channel-update-for-desktop.html
處置要求
- 倘有使用上述受影響產品,須盡快更新Google Chrome瀏覽器。
參考資料
如有任何疑問,請聯絡資訊及通訊科技部服務中心。
服 務 中 心
位置 : 中央教學樓東5座(E5)二樓2085室 (電子地圖)
電話 : 8822 8600
電郵 : icto.helpdesk@um.edu.mo
資訊及通訊科技部