After discovering this vulnerability, Google issued an update for the bug,  which is found in the open-source V8 JavaScript engine. The bug received a “high severity” classification and it is under active exploit in the wild. In this article, get critical vulnerability and management insights, which can help defenders avoid surprises.

Google Chrome zero-day vulnerability

To address this vulnerability, which, again, is being actively exploited in the wild, Google has updated its Stable channel for the desktop version of Chrome.

This bug manifests as a type-confusion issue in the JavaScript engine. This is an open-source engine utilized by Chrome and Chromium-based web browsers. According to Microsoft, type-confusion occurs when code fails to verify the type of object passed to it, and uses the object blindly without type-checking. This behavior results in type-confusion.

“Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances, this can lead to code execution.”

Known information

The issue has been labeled “high-severity” (although no CVSS score was assigned). An anonymous researcher has been credited with finding the issue, which is being tracked as CVE-2022-1096. Limited further information exists at this point in time. This is a source of frustration for cyber security professionals who need to avoid corresponding types of cyber intrusions.

“As a defender, I really wish it was more clear [as to] what the security fix is,” stated John Bambenek, a principle threat hunter. “I get permission-denied errors or ‘need to authenticate,’ so I can’t make decisions or advise my clients…”

Emergency patching

For Chrome for Windows, Mac and Linux, the internet giant has updated the Stable Channel to 99.0.4844.84. Because Microsoft runs the Chromium-based Edge browser, the company also issued its own advisory around the vulnerability. At present, it is unclear as to whether other V8-built offerings, such as JavaScript runtime environment Node.js, have also been affected.

A patch was issued on an emergency basis. However, the update appears only to resolve a singular issue. Analysts say that for Google, this is an unusual move, as the company typically presents fixes for multiple issues within a single release.

The issuance of a single patch suggests that Google is quite concerned about CVE-2022-1096. This notion is furthered by the speed at which the company delivered the patch. While Google is known for agility and speed in delivering patches, this one was released within 48 hours.

V8 Engine security bugs

Across the past few years, the V8 engine has been affected by a series of security bugs, serving as a target for a slew of hacking attempts. In 2021 alone, experts identified a total of 16 of these Chrome zero day threats. They’ve included other type-confusion bugs, use-after-free bugs, and others. One such bug rendered hackers capable of executing arbitrary code inside a sandbox via a crafted HTML page.

For more information, please see Google Chrome Releases.  Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.