Lucene search

K
threatpostTara SealsTHREATPOST:45B63C766965F5748AEC30DE709C8003
HistoryMar 30, 2022 - 4:14 p.m.

Google Chrome Bug Actively Exploited as Zero-Day

2022-03-3016:14:30
Tara Seals
threatpost.com
178
google chrome
zero-day
cve-2022-1096
type confusion
v8 engine
security vulnerability
exploit
update
emergency patch
windows
mac
linux
chromium
edge browser
node.js
bugcrowd
cyberattackers
security bugs

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.966

Percentile

99.7%

Google has updated its Stable channel for the desktop version of Chrome, to address a zero-day security vulnerability that’s being actively exploited in the wild.

The bug, tracked as CVE-2022-1096, is a type-confusion issue in the V8 JavaScript engine, which is an open-source engine used by Chrome and Chromium-based web browsers. Type confusion, as Microsoft has laid out in the past, occurs “when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion…Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.”

Google didn’t provide additional technical details, as is its wont, but did say that it was “aware that an exploit for CVE-2022-1096 exists in the wild.” An anonymous researcher was credited with finding the issue, which is labeled “high-severity” (no CVSS score was given).

The lack of any further information is a source of frustration to some.

“As a defender, I really wish it was more clear what this security fix is,” John Bambenek, principal threat hunter at Netenrich, said via email. “I get permission-denied errors or ‘need to authenticate,’ so I can’t make decisions or advise my clients. A little more transparency would be beneficial and appreciated.”

Emergency Patch; Active Exploit

The internet giant has updated the Stable channel to 99.0.4844.84 for Chrome for Windows, Mac and Linux, according to the its security advisory. Microsoft, which offers the Chromium-based Edge browser, also issued its own advisory. It’s unclear whether other offerings built in V8, such as the JavaScript runtime environment Node.js, are also affected.

The patch was issued on an emergency basis, likely due to the active exploit that’s circulating, researchers noted.

“The first thing which stood out to me about this update is that it only fixes a single issue,” Casey Ellis, founder and CTO at Bugcrowd, noted by email. “This is pretty unusual for Google. They typically fix multiple issues in these types of releases, which suggests that they are quite concerned and very motivated to see fixes against CVE-2022-1096 applied across their user-base ASAP.”

He also commented on the speed of the patch being rolled out.

“The vulnerability was only reported on the 23rd of March, and while Google’s Chrome team do tend to be fairly prompt in developing, testing and rolling patches, the idea of a patch for software deployed as widely deployed as Chrome in 48 hours is something is continue to be impressed by,” he said. “Speculatively, I’d suggest that the vulnerability has been discovered via detection of active exploitation in the wild, and the combination of impact and potentially the malicious actors currently using it contributed to the fast turnaround.”

V8 Engine in the Crosshairs

The V8 engine has been plagued with security bugs and targeted by cyberattackers many times in the last year:

Last year delivered a total of these 16 Chrome zero days:

  • CVE-2021-21148 – Feb. 4, an unnamed type of bug in V8
  • CVE-2021-21224 – April 20, an issue with type confusion in V8 that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
  • CVE-2021-30551 –- June 9, a type-confusion bug within V8 (also under active attack as a zero-day)
  • CVE-2021-30563 – July 15, another type-confusion bug in V8.
  • CVE-2021-30633 – Sept. 13, an out-of-bounds write in V8
  • CVE-2021-37975 – Sept. 30, a use-after-free bug in V8 (also attacked as a zero-day)
  • CVE-2021-38003 – Oct. 28, an inappropriate implementation in V8
  • CVE-2021-4102 – Dec. 13, a use-after-free bug in V8.

Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with ourFREE downloadable eBook***, “Cloud Security: The Forecast for 2022.”***We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

9.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

9.5

Confidence

High

EPSS

0.966

Percentile

99.7%