Chromium’s WebRTC Zero-Day was Just the Tip of the Iceberg

Enterprises need to strengthen their stance at the cybersecurity frontlines. Read on to learn more about smarter vulnerability management.

January 24, 2023

The number of zero-day Chrome vulnerabilities being exploited in the wild is on the rise. But Google is far from alone. With the dawn of the distributed workforce, web browsers have been forced to cybersecurity’s front lines; and organizations must find new ways to defend it, shares Dor Zvi, co-founder and CEO at Red Access.

On August 20th of last year, Google discovered a heap-buffer overflow bug (CVE-2022-2294Opens a new window ) in WebRTC – an HTML5 specification that allows webpages to play real-time audio and video content in the browser. The vulnerability could be exploited for denial-of-service (DOS), remote code execution (RCE), and other forms of high-severity attacks.

Since that high-profile vulnerability hit the headlines in August, four more Chrome zero-days have been found exploited in the wild, bringing us to a staggering total of eight zero-day Chrome vulnerabilities exploited in the wild this year alone. 

While Google has since released updates to patch all of the aforementioned critical vulnerabilities, it’s important to note that both the volume and frequency of these types of exploits are on the rise. So, it’s not a matter of if but when the next Chrome zero-day is exploited in the wild. 

Remote Work, Browserization Lead to Bigger Targets on Browsers’ Backs

The number of zero-day vulnerabilities to be actively exploited “in the wild” against Chrome has risen dramatically in recent years. Throughout all of 2019, Google saw just two zero-day Chrome vulnerabilities being exploited in the wild. Fast forward just two years later, to 2021, and the annual total shot all the way up to 14. 

There are a variety of reasons one could point to explain this sudden jump, including the growing popularity of Chrome itself. But there are clearly other forces at work here, especially considering Chrome is far from alone in its growing struggles against zero-days. In fact, the very same WebRTC exploit used against Chromium browsers (CVE-2022-2294) was also leveraged against Safari users. 

With the rise of remote and hybrid work environments, the web browser has taken on a new-found, central role in the day-to-day responsibilities of the average enterprise employee – serving as their primary means of accessing and performing work. And as a result, malicious actors are working round the clock to identify vulnerabilities and develop exploits to take advantage of this shift. And thus far, they’ve proven quite successful. 

According to a recent reportOpens a new window , nearly two-thirds of organizations have had a device compromised by a browser-based attack within the past 12 months – and all signs suggest that their frequency and severity will only increase over time. 

See More: LOL Attacks Can Now Live off the Cloud: Three Strategies to Reduce LOC Risk

Browser Complexity Opens the Doors to New Vulnerabilities

In addition to the browser’s increasing centrality as a workplace productivity tool, these applications are also growing increasingly complex – with new components and capabilities being added by the day ranging from near-field-communication (NFC) support to novel file formats like AVIF. And with each of these new developments, browser developers run the risk of introducing new opportunities for exploits. To its credit, even Google has recognized this fact as essentially an inevitability.

In the aforementioned blog postOpens a new window from Google’s Chrome Security Team, Adrian Taylor writes, “Browsers increasingly mirror the complexity of operating systems – providing access to your peripherals, filesystem, 3D rendering, GPUs – and more complexity means more bugs.” 

Not only does greater complexity increase the opportunity for bugs, but it also doubles down on making browsers even more attractive targets for malicious actors. For these reasons, it’s not a matter of if but when the next browser-based zero-day vulnerability is found in the wild. 

Why Relying on Luck, Remediation Is a Losing Bargain

The WebRTC exploit is simply the most attention-grabbing in an increasingly long line of zero-day flaws affecting Chrome and other web browsers; and it won’t be the last. With both the number and frequency of these exploits climbing by the day, simply crossing one’s fingers that your organization won’t be one of the unlucky few to fall victim to the exploit “in the wild” is a dangerous proposition.  

When your first and last lines of defense are remediation, your organization is left vulnerable from the moment of the first exploit to the very end of the “patch gap” (i.e., the amount of time it takes to roll out an update after discovering a zero-day). To Google’s credit, they’ve managed to bring their average Chrome patch gapOpens a new window down from 35 days in Chrome version 76 to just 18 days today. But, as we all know, 18 days is more than enough time for a malicious actor to do serious damage to an organization. Even the 18-day assumes that every user in your organization immediately updates their browser (or, at the very least, restarts their computer or device) as soon as the update is released.

But, whether it’s 18 days or 8, relying on remediation places organizations at significant risk. And with zero-days no longer being exclusive to the arsenals of nation-states, the scope of likely targets has also expanded to include anyone and everyone with money or valuable information to lose.

From Securing the Browser to Securing the Session 

Closing gaps in security is always an uphill battle – even for the most sophisticated security teams – with vulnerabilities often only making themselves apparent at the point of exploit.

For all these reasons (and more), it’s imperative that organizations shift their focus away from securing the web browser and toward securing the web session

It’s necessary to effectively cloak each web session in a secure environment, executing a real-time security layer before each web page or request is loaded without employing RBI, changing contents, or other cumbersome, latency-laden techniques. This provides solutions to the full scope of challenges faced by the secure browsing space – namely, preventing threats without causing disruptions to the day-to-day productivity of end users or saddling admins with yet another end-point agent. 

New Thinking is Required to Keep Ahead of Threats

With the web browser rapidly becoming the crown jewel of workplace productivity, hackers will undoubtedly continue to ramp up their efforts to undermine it. That’s why it’s high time organizations start thinking differently about browsing security.

It’s only a matter of time until the next browsing-based vulnerability makes headlines and sends organizations scrambling. Let’s hope that more are ready for it. 

How are you managing browser-based vulnerabilities? Share with us on FacebookOpens a new window , TwitterOpens a new window , and LinkedInOpens a new window .

MORE ON SECURITY VULNERABILITIES: 

Image Source: Shutterstock

Dor Zvi
Dor Zvi

CEO and co-founder , Red Access

Dor Zvi is the CEO and co-founder of Red Access. An expert in defensive and offensive cybersecurity approaches, Zvi brings extensive knowledge in threat detection and response, malware analysis, and information security; having served many years in the Israel Defense Forces (IDF) technology units, followed by senior research and development positions at leading tech companies.
Take me to Community
Do you still have questions? Head over to the Spiceworks Community to find answers.