CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%
Google has updated its Stable channel for the desktop version of Chrome, to address a zero-day security vulnerability that’s being actively exploited in the wild.
The bug, tracked as CVE-2022-1096, is a type-confusion issue in the V8 JavaScript engine, which is an open-source engine used by Chrome and Chromium-based web browsers. Type confusion, as Microsoft has laid out in the past, occurs “when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion…Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.”
Google didn’t provide additional technical details, as is its wont, but did say that it was “aware that an exploit for CVE-2022-1096 exists in the wild.” An anonymous researcher was credited with finding the issue, which is labeled “high-severity” (no CVSS score was given).
The lack of any further information is a source of frustration to some.
“As a defender, I really wish it was more clear what this security fix is,” John Bambenek, principal threat hunter at Netenrich, said via email. “I get permission-denied errors or ‘need to authenticate,’ so I can’t make decisions or advise my clients. A little more transparency would be beneficial and appreciated.”
The internet giant has updated the Stable channel to 99.0.4844.84 for Chrome for Windows, Mac and Linux, according to the its security advisory. Microsoft, which offers the Chromium-based Edge browser, also issued its own advisory. It’s unclear whether other offerings built in V8, such as the JavaScript runtime environment Node.js, are also affected.
The patch was issued on an emergency basis, likely due to the active exploit that’s circulating, researchers noted.
“The first thing which stood out to me about this update is that it only fixes a single issue,” Casey Ellis, founder and CTO at Bugcrowd, noted by email. “This is pretty unusual for Google. They typically fix multiple issues in these types of releases, which suggests that they are quite concerned and very motivated to see fixes against CVE-2022-1096 applied across their user-base ASAP.”
He also commented on the speed of the patch being rolled out.
“The vulnerability was only reported on the 23rd of March, and while Google’s Chrome team do tend to be fairly prompt in developing, testing and rolling patches, the idea of a patch for software deployed as widely deployed as Chrome in 48 hours is something is continue to be impressed by,” he said. “Speculatively, I’d suggest that the vulnerability has been discovered via detection of active exploitation in the wild, and the combination of impact and potentially the malicious actors currently using it contributed to the fast turnaround.”
The V8 engine has been plagued with security bugs and targeted by cyberattackers many times in the last year:
Last year delivered a total of these 16 Chrome zero days:
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with ourFREE downloadable eBook***, “Cloud Security: The Forecast for 2022.”***We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.
bit.ly/3Jy6Bfs
chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21224
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30563
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38003
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4102
msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096
threatpost.com/chrome-browser-bug-under-attack/166804/
threatpost.com/google-chrome-zero-day-exploited/169442/
threatpost.com/google-chrome-zero-day-windows-mac/163688/
threatpost.com/google-emergency-update-chrome-zero-days/175266/
www.microsoft.com/security/blog/2015/06/17/understanding-type-confusion-vulnerabilities-cve-2015-0336/
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.7%