The 9th Google Chrome Zero-Day Threat this Year – Again Just Before the Weekend


Google has released yet another security update for the Chrome desktop web browser to address a high-severity vulnerability that is being exploited in the wild. This is the ninth Chrome zero-day fixed this year by Google. This security bug ([CVE-2022-4262](<https://chromereleases.googleblog.com/2022/12/stable-channel-update-for-desktop.html>); _QID 377804_) is a Type Confusion vulnerability in Chrome’s V8 JavaScript Engine. Google has withheld details about the vulnerability to prevent expanding its malicious exploitation and to allow users time to apply the security updates necessary on their Chrome installations. Google’s previous zero-days were also released right before a weekend (see [Don’t spend another weekend patching Chrome](<https://blog.qualys.com/product-tech/2022/10/28/chrome-zero-day-cve-2022-3723>) and [Don’t Spend Your Holiday Season Patching Chrome](<https://blog.qualys.com/product-tech/patch-management/2022/11/29/dont-spend-your-holiday-season-patching-chrome>)). ![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/11/Picture1.jpg) ## Organizations respond, but slowly Analyzing anonymized data from the Qualys data lake, the Qualys Threat Research Unit found for Chrome zero-day vulnerabilities introduced between February and August, more than 90% of these instances were remediated. However, it took 11-21 days to remediate via the Chrome patch. With the frequency of vulnerabilities released in this widely used browser and the fact that browsers, by their nature, are more exposed to external attacks, reducing the MTTR for those Chrome vulnerabilities is critical. ![](https://ik.imagekit.io/qualys/wp-content/uploads/2022/12/image.png)2022 Chrome Zero-Day Vulnerabilities, MTTR Of the nine Chrome zero-day threats this year, five were introduced just before the weekend on a Thursday or Friday. Organizations that don't leverage automated patching must spend the weekend or holiday working on the manual, lengthy process of detecting vulnerable devices, preparing the Chrome patch, testing it, and deploying it to affected assets. CVE| Release Date| Day of the Week| Vulnerability Remediation Rate ---|---|---|--- CVE-2022-0609| 2/14/2022| Monday| 94% CVE-2022-1096| 3/25/2022| **Friday**| 94% CVE-2022-1364| 4/14/2022| **Thursday**| 93% CVE-2022-2294| 7/4/2022| Monday| 93% CVE-2022-2856| 8/16/2022| Tuesday| 91% CVE-2022-3075| 9/2/2022| **Friday**| 85% CVE-2022-3723| 10/27/2022| **Thursday**| 65% CVE-2022-4135| 11/24/2022| **Thursday (Thanksgiving)**| 52% CVE-2022-4262| 12/2/2022| **Friday**| NA 2022 Chrome Zero-Day vulnerability release dates and percentage of remediation ## Qualys Patch Management speeds remediation The Qualys Threat Research Unit has found on average critical vulnerabilities are weaponized in 15.9 days. Significantly reducing MTTR shortens the exposure window and improves an organization's risk posture. [Qualys Patch Management](<https://www.qualys.com/apps/patch-management/>) with Zero-Touch Patching allows organizations to use their Qualys Cloud Agent for vulnerability management and to deploy third-party application patches, including Chrome. If the Qualys Cloud Agent is installed on an asset, customers can patch it, regardless of any other deployed patch solution. By defining a simple zero-touch policy, assets can automatically deploy patches when the vendor releases a new one. If testing patches like Chrome is required before production deployment, automatically setup a zero-touch policy to deploy to a set of test devices before deploying the same tested patches to production devices. If you are a Qualys customer without Patch Management, a [trial](<https://www.qualys.com/apps/patch-management/>) can be enabled quickly, leveraging the same agent used with VMDR. This allows you to immediately deploy the Chrome patch to your environment and create those automation jobs to ensure that the next time Google or any other vendor releases a patch, your assets are automatically updated.