Google Rolls Out Emergency Patch for Ninth Zero-Day Chrome Vulnerability of 2022
Tracked as CVE-2022-4262, the vulnerability affects all browser versions of Google Chrome on all platforms.
Google is rolling out an emergency, out-of-band patch for another zero-day vulnerability in its flagship browser Chrome. Tracked as CVE-2022-4262, the vulnerability affects all browser versions on all platforms.
More importantly, the exploit for the vulnerability, a type confusion bug in Chrome’s V8 engine, exists in the wild. This is why patching the vulnerability, reported on November 29 by Clement Lecigne of Google’s Threat Analysis Group, should be prioritized.
Like the three other type confusion vulnerabilities found in Chrome in 2022, this one also threatens systems with vulnerable applications with out-of-bounds system memory access by threat actors.
“Details on the vulnerability and exploit have not been published yet, but ‘Type Confusion in V8’ vulnerabilities are related to the browser’s JavaScript engine,” Mike Walters, VP of vulnerability and threat research at Action1, told Spiceworks.
“It is very likely that this vulnerability allows remote code execution, which means that a threat actor could cause any script or malware payload to be executed on the victims’ device.”
The Center for Internet Security (CIS) noted that successful exploitation of CVE-2022-4262 can enable threat actors to arbitrarily execute code in the context of the logged-on user. A hacker can install programs, view, change, delete data, or create new accounts with full user rights.
Walters added, “In most cases, attackers exploit such vulnerabilities when users visit their malicious site. Then they steal data from the affected devices, or create botnets to perform distributed denial-of-service (DDoS) attacks, mine cryptocurrency or send spam.”
CVE-2022-4262 is the ninth zero-day vulnerability discovered and patched in 2022. It is also the fourth vulnerability in the V8 engine, which, besides Chrome, is used across most Chromium-based web browsers, including Brave, Opera, Vivaldi and Microsoft Edge.
See More: Google Accuses Spanish Security Firm of Developing Exploit Tools for Chrome And Microsoft Defender
All nine Chrome zero-day bugs are listed below:
Vulnerability |
Type | Resides In | CVSS Score | Month of Patch Release |
---|---|---|---|---|
CVE-2022-0609 | Use-after-free | Animation | 8.8 |
March 2022 |
Type confusion | V8 engine | 8.8 | March 2022 | |
CVE-2022-1364 | Type confusion | V8 engine | 8.8 |
April 2022 |
Heap buffer overflow | WebRTC | 8.8 | July 2022 | |
CVE-2022-2856 | Insufficient validation of untrusted input | Intents | 6.5 |
August 2022 |
Insufficient data validation | Mojo | 9.6 | September 2022 | |
CVE-2022-3723 | Type confusion | V8 engine | 8.8 |
October 2022 |
Heap buffer overflow | GPU component of Chrome | 9.6 | November 2022 | |
CVE-2022-4262 | Type confusion | V8 engine | NA |
December 2022 |
CIS wrote in a blog post that the risk from CVE-2022-4262 is ‘high’ to large, medium, and small government entities and businesses and that it poses a ’low’ risk to individuals/home users.
“Google will not give details about the vulnerability until most users’ browsers are updated, and rightly so. The severity of this vulnerability can hardly be overstated. That’s why we recommend that you update your Chrome browser as soon as possible.”
To update Chrome to version 108.0.5359.94, click on the three vertical ellipses in the top right corner. Go to Settings > About Chrome, where the browser automatically checks for updates. The application will prompt users to restart Chrome after updates are installed.
“It is worth noting that patching browsers can be problematic though, because people do not like rebooting their browsers, which is often required as part of an update. That’s why the best practice for organizations is to automate patching for third-party apps, including browsers, and ensure their IT teams can force reboots remotely in a way that is comfortable to end users,” Walters advised.
Let us know if you enjoyed reading this news on LinkedIn, Twitter, or Facebook. We would love to hear from you!
Image source: Shutterstock