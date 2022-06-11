The Indian Computer Emergency Response Team (CERT-In) has flagged multiple vulnerabilities in browsers such as Google Chrome and Mozilla Firefox, which the agency said could be exploited by cyber attackers.

In a vulnerability note issued on June 10, CERT-In, which works under the ministry of electronics and information technology, said an attacker can exploit use-after-free in WebGPU (a graphics application programming interface), out-of-bounds-memory access in WebGL (Javascript API), out-of-bounds-read in composting and use-after-free in ANGLE, which is an open source, cross-platform graphics engine layer developed by Google.

Cybersecurity and digital privacy firm Kaspersky defines use-after-free as a vulnerability related to incorrect use of dynamic memory during program operation. "If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to hack the program," Kaspersky said.

Common Weakness Enumeration defines out-of-bounds read as a vulnerability that allows attackers to read sensitive information from other memory location and cause a crash.

This is the second vulnerability CERT-In note issued on Google Chrome products in a week. On June 6, the agency, which deals with cyber security threats like hacking and phishing, flagged vulnerabilities that could allow attackers to execute arbitrary code on a targeted system.

The agency had also highlighted vulnerabilities in Mozilla products such as its iOS version priot to 101, Thunderbird version prior to 91.10 and so on.

"Multiple vulnerabilities have been reported in Mozilla products which could allow a remote attacker to disclose sensitive information, bypass security restrictions, execute arbitrary code, perform spoofing attacks, and cause denial of service attack on the targeted system," the vulnerability note read.

CERT-In urged users to update Mozilla and Chrome browsers to their latest versions.

CERT-In has been in the spotlight ever since it published a slew of directions that seek additional compliance from corporates whose users are in the country.

The directions, which come into force from June 27, have been criticised by the civil society and industry bodies and forced VPN service providers such as Surfshark and ExpressVPN to pull its servers from the country.