Google has released security updates for its Windows and Android users to address a high-severity, zero-day vulnerability in its Chrome browser. The vulnerability was discovered by Jan Vojtesek from the Avast Threat Intelligence team on 1st July.
Tracked as CVE-2022-2294, the vulnerability is a heap-based buffer overflow vulnerability in the WebRTC (Web Real-Time Communications) component. This component is responsible for providing real-time audio and video communication capabilities in browsers without installing any plugins or downloading native apps.
In their advisory, Google mentions that the vulnerability also affects the Android version of Chrome.
According to OWASP, a buffer overflow condition exists when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer. The impact of successful heap overflow exploitation can range from program crashes to arbitrary code execution.
Other than CVE-2022-2294, this update also addresses two more security flaws:
- CVE-2022-2295: Type Confusion in V8
- CVE-2022-2296: Use after free in Chrome OS Shell
All three vulnerabilities are marked with a high-severity rating.
CVE-2022-2294 is the fourth zero-day vulnerability in Chrome since the start of the year. The previous zero-days are mentioned in chronological order:
- CVE-2022-0609: Use-after-free in Animation (February 14th)
- CVE-2022-1096: Type-confusion flaw in the Chrome V8 JavaScript engine (March 25th)
- CVE-2022-1364: Type confusion in V8 (April 14th)
Affected versions
All Chrome versions prior to 103.0.5060.114 (for Windows, macOS, and Linux) and 103.0.5060.71 (for Android) are affected by this vulnerability.
Mitigation
Customers are advised to upgrade to the latest Chrome version 103.0.5060.114 for Windows, macOS, and Linux and Chrome 103 (103.0.5060.71) for Android. For more information, please refer to the Google Chrome security page (for Windows) and Google Chrome security page (for Android).
The customer can check for the updates by navigating to Chrome menu > Help > About Google Chrome. The web browser will automatically check for new updates and install them when it is launched.
Microsoft has released the latest Microsoft Edge Stable Channel (Version 103.0.1264.49) addressing the latest Security Updates of the Chromium project. This update contains a fix for CVE-2022-2294 reported by the Chromium team as having an exploit in the wild.
Qualys Detection
Qualys customers can scan their devices with QIDs 376716, 376719, and 630819 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References
https://owasp.org/www-community/vulnerabilities/Buffer_Overflow
https://thehackernews.com/2022/07/update-google-chrome-browser-to-patch.html
https://chromereleases.googleblog.com/2022/07/chrome-for-android-update.html
https://chromereleases.googleblog.com/2022/07/stable-channel-update-for-desktop.html
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#july-6-2022
https://www.bleepingcomputer.com/news/security/google-patches-new-chrome-zero-day-flaw-exploited-in-attacks/