|Category: Vulnerability Intelligence
|Vulnerability Class: Zero-Day Vulnerability
|CVE ID: CVE-2022-1096
|CVSS:3.0 Score: To be assigned
- Google released a security update to patch a critical zero-day vulnerability in Windows, Mac, and Linux operating systems with Chrome 99.0.4844.84.
- Google claims that the vulnerability was reported by an anonymous security researcher. The technical details and exploit for this vulnerability have been kept confidential until a majority of users patch it.
- Type confusion is a programming bug in which an app uses a given "type" of input to start data execution activities, but is deceived into treating the input as a different "type."
- The most critical type confusion vulnerabilities can allow arbitrary code execution. Hence the attackers can confuse the V8 engine, enabling it to perform unauthorized actions like reading and writing data on the victim’s machine.
- Chrome has 3.2 billion users, hence the exploit to this vulnerability has been kept confidential and has not been released on surface web or dark web forums.
- Google stated that it will release more information about this vulnerability once a majority of its users install the update, thereby patching the vulnerability.
- This vulnerability also affects Chromium browsers like Microsoft Edge and Brave. Chrome and Microsoft Edge have released auto-updates to fix the vulnerability.
Impact & Mitigation
|This is a critical vulnerability that could be exploited by threat actors to target ~3.2 billion users across the world. The previous zero-day vulnerability reported by Google (CVE-2022-0609) was actively exploited by North Korean threat actors before it was patched.
|Update Chrome to 9.0.4844.84 and version Microsoft Edge to 99.0.1150.55. Refer to the Google Security Advisories: Countering threats from North Korea Chrome Releases: Stable Channel Update for Desktop