Google Patches the Seventh Zero-Day Chrome Vulnerability of 2022

The latest patch fixes a type confusion bug residing in the JavaScript-based V8 engine that can lead to arbitrary code execution.

November 2, 2022

Google recently rolled out an emergency fix for a zero-day vulnerability, the seventh one so far in 2022, affecting its flagship web browser Chrome. The latest patch fixes a type confusion bug in the JavaScript-based V8 engine.

Tracked as CVE-2022-3723, the flaw is the seventh zero-day vulnerability, i.e., whose exploit is publicly available, and the third type confusion weakness in Chrome’s V8 engine. Needless to say, users should prioritize patching the vulnerability by updating Google Chrome to version 107.0.5304.87/107.0.5304.88 as soon as possible.

Security researchers Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast discovered the type confusion bug that can enable arbitrary code execution. Details of the vulnerability are currently withheld from public release because of security concerns.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven’t yet fixed,” Google said.

According to Common Weakness EnumerationOpens a new window (CWE), type confusion results from any program accessing any system resource using an incompatible type. So if a program initializes a resource, such as an object or a variable, by defining one type but later accesses that same resource with another type incompatible with the original object type, it could trigger logical errors.

A successful exploit of type confusion vulnerabilities can enable threat actors to access out-of-bounds system memory, particularly in applications written in languages without memory safety, such as C and C++, and allow arbitrary code execution. V8 is written in C++.

“Loosely speaking, that means it’s almost certain that merely visiting and viewing a booby-trapped website – something that’s not supposed to lead you into harm’s way on its own – could be enough to launch rogue code and implant malware on your device, without any popups or other download warnings,” wroteOpens a new window Paul Ducklin, principal research scientist at Sophos.

See More: GitHub High-Severity Vulnerability Exposed 10,000 Packages to RepoJacking

Eran Livne, senior director of product management at Qualys, wrote in a blog postOpens a new window , “Attacks on the V8 component of Chrome are not typical but are among the most dangerous. Google does not define the level of activity concerning the exploitation that exists in the wild, so whether attacks using CVE-2022-3723 are across-the-board or limited is unknown now.”

The seven zero-day Chrome vulnerabilities are listed below:

Vulnerability Type Resides In CVSS Score Vulnerable Chromium Versions
CVE-2022-0609Opens a new window Use-after-free Animation 8.8 Before 98.0.4758.102
CVE-2022-1096Opens a new window Type confusion V8 engine 8.8 Before 99.0.4844.846
CVE-2022-1364Opens a new window Type confusion V8 engine 8.8 Before 100.0.4896.127
CVE-2022-2294Opens a new window Heap buffer overflow WebRTC 8.8 103.0.5060.114
CVE-2022-2856Opens a new window Insufficient validation of untrusted input Intents 6.5 Before 104.0.5112.97
CVE-2022-3075Opens a new window Insufficient data validation Mojo 9.6 Before 105.0.5195.54
CVE-2022-3723Opens a new window Type confusion V8 engine NA Before 107.0.5304.87

Overall, Google Chrome was found with 303 vulnerabilities until October 5, 2022, according to AtlasVPN. The popular browser, which enjoys a 65.27% market shareOpens a new window , also has the highest number of all-time vulnerabilities discovered.

Web Browsers by Number of Vulnerabilities

Web Browsers by Number of Vulnerabilities | Source: AtlasVPNOpens a new window

The V8 engine is used in most Chromium-based web browsers, including Brave, Opera, Vivaldi and Microsoft Edge, besides Google Chrome.

To update Chrome, click on the three vertical ellipses in the top right corner > Settings > About Chrome, where the browser will automatically check for updates. The application will prompt users to restart Chrome after updates are installed.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

Image source: Shutterstock

MORE ON SECURITY VULNERABILITIES

Sumeet Wadhwani
Sumeet Wadhwani

Asst. Editor, Spiceworks Ziff Davis

An earnest copywriter at heart, Sumeet is what you'd call a jack of all trades, rather techs. A self-proclaimed 'half-engineer', he dropped out of Computer Engineering to answer his creative calling pertaining to all things digital. He now writes what techies engineer. As a technology editor and writer for News and Feature articles on Spiceworks (formerly Toolbox), Sumeet covers a broad range of topics from cybersecurity, cloud, AI, emerging tech innovation, hardware, semiconductors, et al. Sumeet compounds his geopolitical interests with cartophilia and antiquarianism, not to mention the economics of current world affairs. He bleeds Blue for Chelsea and Team India! To share quotes or your inputs for stories, please get in touch on sumeet_wadhwani@swzd.com
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.