Google Chrome zero-day vulnerability
To address this vulnerability, which, again, is being actively exploited in the wild, Google has updated its Stable channel for the desktop version of Chrome.
“Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances, this can lead to code execution.”
The issue has been labeled “high-severity” (although no CVSS score was assigned). An anonymous researcher has been credited with finding the issue, which is being tracked as CVE-2022-1096. Limited further information exists at this point in time. This is a source of frustration for cyber security professionals who need to avoid corresponding types of cyber intrusions.
“As a defender, I really wish it was more clear [as to] what the security fix is,” stated John Bambenek, a principle threat hunter. “I get permission-denied errors or ‘need to authenticate,’ so I can’t make decisions or advise my clients…”
A patch was issued on an emergency basis. However, the update appears only to resolve a singular issue. Analysts say that for Google, this is an unusual move, as the company typically presents fixes for multiple issues within a single release.
The issuance of a single patch suggests that Google is quite concerned about CVE-2022-1096. This notion is furthered by the speed at which the company delivered the patch. While Google is known for agility and speed in delivering patches, this one was released within 48 hours.
V8 Engine security bugs
Across the past few years, the V8 engine has been affected by a series of security bugs, serving as a target for a slew of hacking attempts. In 2021 alone, experts identified a total of 16 of these Chrome zero day threats. They’ve included other type-confusion bugs, use-after-free bugs, and others. One such bug rendered hackers capable of executing arbitrary code inside a sandbox via a crafted HTML page.
For more information, please see Google Chrome Releases. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.