Google Chrome Bug Actively Exploited as Zero-Day

by | Mar 31, 2022 | News

Patreon

Reading Time: 2 Minutes

Google issued an update for the bug, which is found in the open-source V8 JavaScript engine.

 

 

 

Google has updated its Stable channel for the desktop version of Chrome, to address a zero-day security vulnerability that’s being actively exploited in the wild.

The bug, tracked as CVE-2022-1096, is a type-confusion issue in the V8 JavaScript engine, which is an open-source engine used by Chrome and Chromium-based web browsers. Type confusion, as Microsoft has laid out in the past, occurs “when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion…Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.”

Google didn’t provide additional technical details, as is its wont, but did say that it was “aware that an exploit for CVE-2022-1096 exists in the wild.” An anonymous researcher was credited with finding the issue, which is labeled “high-severity” (no CVSS score was given).

The lack of any further information is a source of frustration to some.

“As a defender, I really wish it was more clear what this security fix is,” John Bambenek, principal threat hunter at Netenrich, said via email. “I get permission-denied errors or ‘need to authenticate,’ so I can’t make decisions or advise my clients. A little more transparency would be beneficial and appreciated.”

 

 

 

See Also: Complete Offensive Security and Ethical Hacking Course

 

 

 

Solutions

 

Emergency Patch; Active Exploit

 

The internet giant has updated the Stable channel to 99.0.4844.84 for Chrome for Windows, Mac and Linux, according to the its security advisory. Microsoft, which offers the Chromium-based Edge browser, also issued its own advisory. It’s unclear whether other offerings built in V8, such as the JavaScript runtime environment Node.js, are also affected.

The patch was issued on an emergency basis, likely due to the active exploit that’s circulating, researchers noted.

“The first thing which stood out to me about this update is that it only fixes a single issue,” Casey Ellis, founder and CTO at Bugcrowd, noted by email. “This is pretty unusual for Google. They typically fix multiple issues in these types of releases, which suggests that they are quite concerned and very motivated to see fixes against CVE-2022-1096 applied across their user-base ASAP.”

He also commented on the speed of the patch being rolled out.

“The vulnerability was only reported on the 23rd of March, and while Google’s Chrome team do tend to be fairly prompt in developing, testing and rolling patches, the idea of a patch for software deployed as widely deployed as Chrome in 48 hours is something is continue to be impressed by,” he said. “Speculatively, I’d suggest that the vulnerability has been discovered via detection of active exploitation in the wild, and the combination of impact and potentially the malicious actors currently using it contributed to the fast turnaround.”

 
 

 

 

V8 Engine in the Crosshairs

 

The V8 engine has been plagued with security bugs and targeted by cyberattackers many times in the last year:

Last year delivered a total of these 16 Chrome zero days:

  • CVE-2021-21148 – Feb. 4, an unnamed type of bug in V8
  • CVE-2021-21224 – April 20, an issue with type confusion in V8 that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
  • CVE-2021-30551 –- June 9, a type-confusion bug within V8 (also under active attack as a zero-day)
  • CVE-2021-30563 – July 15, another type-confusion bug in V8.
  • CVE-2021-30633 – Sept. 13, an out-of-bounds write in V8
  • CVE-2021-37975 – Sept. 30, a use-after-free bug in V8 (also attacked as a zero-day)
  • CVE-2021-38003 – Oct. 28, an inappropriate implementation in V8
  • CVE-2021-4102 – Dec. 13, a use-after-free bug in V8.

 

See Also: Offensive Security Tool: Scapy

 

 

 

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

 

 

 

See Also: Hacking stories: MafiaBoy, the hacker who took down the Internet

 

Source: threatpost.com

Source Link

 

 

 


 

 

Merch

Share This