Google has released an emergency update to address a high-severity zero-day vulnerability – CVE-2022-109). The vulnerability, reported by an anonymous security researcher, is said to be exploited in the wild.
This zero-day vulnerability is a type-confusion flaw in the Chrome V8 JavaScript engine. A type-confusion error arises when a resource (e.g., a variable or an object) is accessed using an incompatible type.
While type-confusion flaws typically result in browser crashes when successfully exploited by reading or writing memory outside of buffer bounds, they can also be used to execute arbitrary code.
Even though Google stated that it had detected attacks in the wild leveraging this zero-day, the corporation did not provide technical details or information about these instances.
CVE-2022-1096 is the second Chrome zero-day addressed by Google this year.
CVE-2022-0609 was the first zero-day patched in February by Google.
Affected versions
All the Google Chrome versions prior to 99.0.4844.84 are affected by this vulnerability.
Mitigation
Customers are advised to upgrade to the latest Chrome version 99.0.4844.84. For more information, please refer to the Google Chrome security page.
Qualys Detection
Qualys customers can scan their devices with QID 376499 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://sites.google.com/a/chromium.org/dev/Home/chromium-security
https://www.securityweek.com/google-issues-emergency-fix-chrome-zero-day
https://thehackernews.com/2022/03/google-issues-urgent-chrome-update-to.html
https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html
https://www.bleepingcomputer.com/news/security/emergency-google-chrome-update-fixes-zero-day-used-in-attacks/
