Google Issues Emergency Update to Patch Actively Exploited Zero-Day Chrome Vulnerability
Key Points From The Article
- Google released an out-of-band security update to address just a single vulnerability.
- The tech giant confirms that cybercriminals are actively exploiting the high severity of the zero-data vulnerability.
- Google describes CVE-2022-1096 as a V8 type confusion that stems from Chrome’s JavaScript engine.
- The update release calls for Chrome users to update their browsers urgently because attackers are already exploiting the vulnerability in the wild.
Google rarely releases Chrome updates addressing any vulnerabilities. However, on March 25th’s Chrome Releases announcement, Google acknowledged that it’s aware of the vulnerability for CVE-2022-1096 and that attackers are highly exploiting it.
Following the update release, Google advised that all Chrome users update their browsers urgently, emphasizing how serious this security vulnerability is.
A Deep Dive into the CVE-2022-1096
Google holds back information about the exploit CVE-2022-1096, which is not unusual in cases when attackers are already exploiting a vulnerability. The tech giant will not reveal technical details about the vulnerability until the update they have released can protect most of Chrome’s 3.2 billion users.
While the public knows the bare minimum about the CVE-2022-1096, Google refers to it as a “V8 Type Confusion with an in-the-wild exploit. The vulnerability is a zero-day JavaScript engine by Chrome.
The CVE-2022-1096 vulnerability is the second zero-day exploit that Google Chrome has addressed in 2022. The first was CVE-2022-0609, and Google patched it on 14th February 2022.
What is Zero-Day Vulnerability?
A zero-day exploit refers to a scary situation where an attacker knows about a hidden flaw or a bug in the software, one which has no available fix yet. Hackers love zero-day vulnerabilities as it creates free room for them to exploit users .
Google (TAG) Threat Analysis Group reports that North Korean state-sponsored hacking gangs have been leveraging the zero-day in Chrome to execute code on target machines.
Before patching the first zero-day vulnerability, the North Korean hackers used it to exploit computers in different FinTech and media companies. According to TAG, the Korean attackers targeted:
- Media
- Software vendors
- Domain host registrars
- Web hosts
The attackers targeted up to 10 different companies and 250 individuals. The cybercriminal sent fake job recruitment emails claiming they were from Oracle, Google, and Disney. The emails the attackers sent looked like they came from Indeed.com to ZipRecruiter. They stem their root from spoofed versions of the sites.
How Hackers Utilized the First Chrome Zero-Day Exploit
Ideally — for the hacker — the target victims would click through the fake site that has a hidden iframe (an HTML page nested inside another) launching the malicious software that intended to exploit the Chrome zero-free vulnerability.
Another group of hackers used the same malicious software toolkit to attack up to 85 individuals, including cryptocurrency and FinTech companies. On top of the fake sites the attackers used to drive infections, they compromised two legitimate sites and used them to spread the attack.
On the first Zero-day exploit, the attackers used AES (Advanced Encryption Standards) for each stage to hide their footprints.
The Second Chrome Zero-Day Vulnerability
Google hasn’t released more information about the second Zero-day CVE-2022-1096 vulnerability they have patched other than admitting there have been attacks utilizing the zero-day weakness.
The company says that it’ll keep some information away from the public as a safety measure, stating that full details on how the vulnerability worked won’t be public until most users have the patch.
The emergency update from version 99.04844.82 to version 99.04844.84 is so unusual that it only addresses a single vulnerability. Fortunately, Google was able to seal the vulnerability before it was widely known.
What Is a Type Confusion Error?
Type confusion errors are powerful bugs with the potential of forming the basis of 100% successful exploits.
According to CWE (Common Weakness Enumeration), type confusion stems from confusion between object types. When a wrong type accesses a memory buffer, it can bypass bound checking and leak data from the target.
When a bigger wrong type code accesses smaller memory, the buffer can crush and allow the code’s execution.
Google’s Explanation About the Increasing Chrome Zero-Day Exploitation
Over the past years, there has been a surge in the exploitation of zero-day vulnerabilities in Chrome. Google explains that several factors contribute to the surge, including:
- Increasing awareness of the public about how to exploit in-the-wild — research groups and browser security teams are teaching the public about how to exploit zero-day vulnerabilities
- The attackers’ desire to chain multiple bugs for a single exploit
- Deprecation of Flash and the increased popularity of the browser resulted in attackers shifting their focus from Adobe flash vulnerabilities to the browser itself.
- Increasing browser complexities to incorporate multiple functions. While the complexity is beneficial for functionality, it also means more bugs.
Google insists that they are taking more measures to prevent malicious actors from abusing Chrome, such as:
- Quicker vulnerability patching
- Employing mechanisms that make vulnerability exploitation more difficult
The company paid out nearly $9 million in bug bounties in 2021, including $3.1 million for Chrome vulnerability.
How Do You Apply the CVE-2022-1096 Zero-Day Security Patch Now?
It’s easier to patch the vulnerability in Chrome in the following steps;
- After opening your Chrome browser, click the three dots at the top right of the screen to open a drop-down menu.
- Scroll down to Help and click on it. Another small menu will open.
- Choose the About Google Chrome option.
- A new window will open, and the update will start downloading if it’s available.
As Google said in their Chrome release announcement, the update may take a few days to reach everyone. If you haven’t found an update yet, be patient. After installing the Chrome update, restart your browser to activate it. Failure to update Chrome will leave you vulnerable to attacks.
Orion Networks Helps Businesses Protect Themselves from Latest Cyber Threats
Attackers will never stop trying to leverage your organization’s vulnerabilities as long as they exist. You need cybersecurity solutions that monitor your network and counter security threats your business may face.
Orion Networks has been securing businesses for over a decade and can help keep your cybersecurity up-to-date. Contact us today for vulnerability management and cybersecurity services.