Cybersecurity Threat Advisory Update: Google Zero-Day Vulnerability

A new critical security alert requires the mission-critical community’s immediate attention.

Google has released a new patch for Google Chrome to address critical vulnerabilities in V8[1], WebRTC (Web Real-Time Communications), and Chrome OS Shell components. If exploited, the vulnerabilities will allow cyberattackers to perform memory corruption and privilege escalation. MCP recommends applying the latest Google patch as soon as possible.

What Is the Threat?

The zero-day vulnerability, identified as CVE-2022-2294, was patched by Google. Zero-day attacks take advantage of flaws or vulnerabilities in hardware or software that are unknown to the vendor. Such attacks often go undiscovered for weeks or months

The details of CVE-2022-2294 are not fully disclosed at this time. However, Google stated that “access to bug details and links may be kept restricted until most users have updated the fix.”

A successful exploit can lead to program crashes, memory corruption, and arbitrary code execution that can escalate the cyberattacker’s privilege if code execution is achieved during the attack. None of the vulnerabilities require any authentication; however, they do require the user to perform some type of interaction.

Why Is it Noteworthy?

The vulnerability exists in the previous version of Google Chrome; despite the fact that information regarding the vulnerability is lacking, it is known that private exploits are available for purchase. According to Google, the vulnerabilities have been known to be exploited in the wild.

What Is the Exposure or Risk?

The WebRTC vulnerability can lead to Heap Overflow vulnerability. The V8 vulnerability can lead to the CWE-843 vulnerability, i.e., access to resources using incompatible types. The Chrome OS Shell vulnerability can cause a program to crash, use unexpected values, or execute code, affecting confidentiality, integrity, and availability.

What Are the Recommendations?

MCP recommends the following actions:

• Update to version 103.0.5060.114 for Windows, macOS, and Linux.
• Update to version 103.0.5060.71 for Android.
• The web browser also will auto-check for new updates and automatically install them after the next launch.

If you are looking for guidance, please reach out. MCP offers a comprehensive cybersecurity solutions suite for critical infrastructure organizations to help them determine their network, data, and application vulnerabilities. We can help you develop a complete cyberattack prevention strategy. Contact us today to learn more.

References

For more in-depth information about the recommendations, please visit the following links:

• • https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-attacks/
  • https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html
  • https://vuldb.com/
  • https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html

[1] V8 is Google’s JavaScript and WebAssembly engine.