10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Google on Monday issued 11 security fixes for its Chrome browser, including a high-severity zero-day bug that’s actively being jumped on by attackers in the wild.
In a brief update, Google described the weakness, tracked as CVE-2022-0609, as a use-after-free vulnerability in Chrome’s Animation component. This kind of flaw can lead to all sorts of misery, ranging from the corruption of valid data to the execution of arbitrary code on vulnerable systems. Such flaws can also be used to escape the browser’s security sandbox.
“Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild,” according to its security update.
Chrome users can fix it straight away, though, by going into the Chrome menu > Help > About Google Chrome.
Given that the zero day is under active attack, updating Chrome should be done ASAP.
Chrome security updates. Source: Google.
Credit for the Animation zero day goes to Adam Weidemann and Clément Lecigne, both from Google’s Threat Analysis Group (TAG).
Monday’s update also plastered over four other high-severity use-after-free flaws found in Chrome’s Webstore API, File Manager, ANGLE and GPU. As well, the company addressed a high-severity integer overflow in Mojo, plus a high-severity heap buffer overflow in Tab Groups. Finally, Google patched a medium-severity issue with inappropriate implementation in Gamepad API.
This is Chrome’s first zero day of the year, and more are sure to follow. But at least we’ve made it into the new-ish year 10 more days than we managed in 2021, when the first bug to hit arrived on Feb. 4.
Last year delivered a total of these 16 Chrome zero days:
Join Threatpost on Wed. Feb 23 at 2 PM ET for a LIVE roundtable discussion “The Secret to Keeping Secrets,” sponsored by Keeper Security, focused on how to locate and lock down your organization’s most sensitive data. Zane Bond with Keeper Security will join Threatpost’s Becky Bracken to offer concrete steps to protect your organization’s critical information in the cloud, in transit and in storage. REGISTER NOW and please Tweet us your questions ahead of time @Threatpost so they can be included in the discussion.
chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html
chromium.googlesource.com/chromium/src/+/main/docs/mojo_and_services.md
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30554
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30563
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37973
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38000
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38003
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4102
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0609
cwe.mitre.org/data/definitions/416.html
en.wikipedia.org/wiki/ANGLE_(software)
media.threatpost.com/wp-content/uploads/sites/103/2022/02/15125804/Chrome-zero-day-e1644947947750.png
threatpost.com/chrome-browser-bug-under-attack/166804/
threatpost.com/chrome-zero-day-exploit-twitter/165363/
threatpost.com/google-chrome-zero-day-exploited/169442/
threatpost.com/google-chrome-zero-day-windows-mac/163688/
threatpost.com/google-emergency-update-chrome-zero-days/175266/
threatpost.com/google-high-severity-blink-browser-engine-flaw/147770/
threatpost.com/google-mac-windows-chrome-zero-day/164759/
threatpost.com/google-patches-actively-exploited-flaw-in-chrome-browser/164468/
threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar
threatpost.com/webinars/protect-sensitive-cloud-data/?utm_source=Website&utm_medium=Article&utm_id=Keeper+Webinar
10 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C