Google Patches the Seventh Zero-Day Chrome Vulnerability of 2022
The latest patch fixes a type confusion bug residing in the JavaScript-based V8 engine that can lead to arbitrary code execution.
Google recently rolled out an emergency fix for a zero-day vulnerability, the seventh one so far in 2022, affecting its flagship web browser Chrome. The latest patch fixes a type confusion bug in the JavaScript-based V8 engine.
Tracked as CVE-2022-3723, the flaw is the seventh zero-day vulnerability, i.e., whose exploit is publicly available, and the third type confusion weakness in Chrome’s V8 engine. Needless to say, users should prioritize patching the vulnerability by updating Google Chrome to version 107.0.5304.87/107.0.5304.88 as soon as possible.
Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast discovered the type confusion bug that can enable arbitrary code execution. Details of the vulnerability are currently withheld from public release because of security concerns.
“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google said.
According to Common Weakness Enumeration (CWE), type confusion results from any program accessing any system resource using an incompatible type. So if a program initializes a resource, such as an object or a variable, by defining one type but later accesses that same resource with another type incompatible with the original object type, it could trigger logical errors.
A successful exploit of type confusion vulnerabilities can enable threat actors to access out-of-bounds system memory, particularly in applications written in languages without memory safety, such as C and C++, and allow arbitrary code execution. V8 is written in C++.
“Loosely speaking, that means it’s almost certain that merely visiting and viewing a booby-trapped website – something that’s not supposed to lead you into harm’s way on its own – could be enough to launch rogue code and implant malware on your device, without any popups or other download warnings,” wrote Paul Ducklin, principal research scientist at Sophos.
See More: GitHub High-Severity Vulnerability Exposed 10,000 Packages to RepoJacking
Eran Livne, senior director of product management at Qualys, wrote in a blog post, “Attacks on the V8 component of Chrome are not typical but are among the most dangerous. Google does not define the level of activity concerning the exploitation that exists in the wild, so whether attacks using CVE-2022-3723 are across-the-board or limited is unknown now.”
The seven zero-day Chrome vulnerabilities are listed below:
Vulnerability | Type | Resides In | CVSS Score | Vulnerable Chromium Versions |
---|---|---|---|---|
CVE-2022-0609 | Use-after-free | Animation | 8.8 | Before 98.0.4758.102 |
CVE-2022-1096 | Type confusion | V8 engine | 8.8 | Before 99.0.4844.846 |
CVE-2022-1364 | Type confusion | V8 engine | 8.8 | Before 100.0.4896.127 |
CVE-2022-2294 | Heap buffer overflow | WebRTC | 8.8 | 103.0.5060.114 |
CVE-2022-2856 | Insufficient validation of untrusted input | Intents | 6.5 | Before 104.0.5112.97 |
CVE-2022-3075 | Insufficient data validation | Mojo | 9.6 | Before 105.0.5195.54 |
CVE-2022-3723 | Type confusion | V8 engine | NA | Before 107.0.5304.87 |
Overall, Google Chrome was found with 303 vulnerabilities until October 5, 2022, according to AtlasVPN. The popular browser, which enjoys a 65.27% market share, also has the highest number of all-time vulnerabilities discovered.
Web Browsers by Number of Vulnerabilities | Source: AtlasVPN
The V8 engine is used in most Chromium-based web browsers, including Brave, Opera, Vivaldi and Microsoft Edge, besides Google Chrome.
To update Chrome, click on the three vertical ellipses in the top right corner > Settings > About Chrome, where the browser will automatically check for updates. The application will prompt users to restart Chrome after updates are installed.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock