Lucene search

K
threatpostElizabeth MontalbanoTHREATPOST:91A97EE2BD6933FEB9A07162BD4ED8B5
HistoryJul 05, 2022 - 11:54 a.m.

Google Patches Actively Exploited Chrome Bug

2022-07-0511:54:21
Elizabeth Montalbano
threatpost.com
115
google
chrome
security update
zero-day vulnerability
exploit
cve-2022-2294
buffer overflow
webrtc
cve-2022-2295
v8 javascript engine
cve-2022-1096
cve-2022-1364
cve-2022-2296
patch
security flaw
chrome os shell

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.041

Percentile

92.2%

While people were celebrating the Fourth of July holiday in the United States, Google quietly rolled out a stable channel update for Chrome to patch an actively exploited zero-day vulnerability, the fourth such flaw the vendor has had to patch in its browser product so far this year.

Chrome 103 (103.0.5060.71) for Android and Version 103.0.5060.114 for Windows and Mac, outlined in separate blog posts published Monday, fix a heap buffer overflow flaw in WebRTC, the engine that gives the browser its real-time communications capability.

The vulnerability, tracked as CVE-2022-2294 and reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1**,** is described as a buffer overflow, “where the buffer that can be overwritten is allocated in the heap portion of memory,” according to the vulnerability’s listing on the Common Weakness Enumeration (CWE) website.

As per usual, Google did not reveal specific details about the bug, as it generally waits until most have updated to the patched version of the affected product. Indeed, updating is strongly recommended, as exploits for the vulnerability already exist in the wild, Google said.

Moreover, with scant details revealed about the flaw—a habit of Google’s that many security researchers find frustrating—at this point an update is really only way to defend against attacks exploiting the flaw. Fortunately, Google Chrome updates are pushed out without user intervention, so most users will be protected once patches are available.

Buffer overflows generally lead to crashes or other attacks that make the affected program unavailable including putting the program into an infinite loop, according to the CWE listing.  Attackers can take advantage of the situation by using the crash to execute arbitrary code typically outside of the scope of the program’s security policy.

“Besides important user data, heap-based overflows can be used to overwrite function pointers that may be living in memory, pointing it to the attacker’s code,” according to the listing. “Even in applications that do not explicitly use function pointers, the run-time will usually leave many in memory.”

Other Fixes

In addition to fixing the zero-day buffer overflow flaw, the Chrome releases also patch a type confusion flaw in the V8 JavaScript engine tracked as CVE-2022-2295 and reported June 16 by researchers “avaue” and “Buff3tts” at S.S.L., according to the post.

This is the third such flaw in the open-source engine used by Chrome and Chromium-based web browsers patched this year alone. In March a separate type-confusion issue in the V8 JavaScript engine tracked as CVE-2022-1096 and under active attack spurred a hasty patch  from Google.

Then in April, the company patched CVE-2022-1364, another type confusion flaw affecting Chrome’s use of V8 on which attackers already had pounced.

Another flaw patched in Monday’s Chrome update is a use-after-free flaw in Chrome OS Shell reported by Khalil Zhani on May 19 and tracked as CVE-2022-2296, according to Google. All of the flaws patched in this week’s update received a rating of high. The updates also includes several fixes from internal audits, fuzzing and other initiatives, Google said.

Prior to patching the Chrome V8 JavaScript engine flaws in March and April, Google in February already had patched a zero-day use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that was under active attack.

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

9.2

Confidence

High

EPSS

0.041

Percentile

92.2%