Google released patches to address a zero-day vulnerability in the Chrome browser. Tracked as CVE-2022-3723, it is a high-severity vulnerability in the Chrome V8 JavaScript engine. The vulnerability was discovered and reported by Jan Vojtěšek, Milánek, and Przemek Gmerek of Avast.
“Google is aware of reports that an exploit for CVE-2022-3723 exists in the wild”, says the advisory.
CVE-2022-3723 is a Type Confusion vulnerability arising in Chrome V8. A type confusion flaw occurs when a code section uses an object without inspecting the type of object supplied to it. Because a type is specified as a memory layout in the lower-level implementation of Flash Player, type confusion can be extremely dangerous. Wrong function pointers or data can also be sent to the wrong piece of code due to type confusion. This may occasionally result in code execution.
CVE-2022-3723 is the seventh zero-day vulnerability patched in the Chrome browser since the start of the year. Following are the previous zero-days in chronological order:
- CVE-2022-3075: Insufficient data validation in Mojo (September 2nd)
- CVE-2022-2856: Insufficient validation of untrusted input in Intents (August 17th)
- CVE-2022-2294: Heap-based buffer overflow vulnerability in the WebRTC (Web Real-Time Communications) component (July 4th)
- CVE-2022-1364: Type confusion in V8 (April 14th)
- CVE-2022-1096: Type confusion flaw in the Chrome V8 JavaScript engine (March 25th)
- CVE-2022-0609: Use-after-free in Animation (February 14th)
Affected versions
All the Google Chrome versions prior to 107.0.5304.87 are affected by this vulnerability.
Mitigation
Customers are advised to upgrade to the latest Chrome stable channel version 107.0.5304.87 for Mac and Linux and 107.0.5304.87/.88 for Windows. For more information, please refer to the Google Chrome security page.
The customer can check for the updates by navigating to Chrome menu > Help > About Google Chrome. The web browser will automatically check for the latest updates and install them when it is launched.
Microsoft has released the Microsoft Edge Stable Channel (version 107.0.1418.26) addressing the latest security updates of the Chromium project. This update covers the latest zero-day exploit of the Chromium project (CVE-2022-3723).
Qualys Detection
Qualys customers can scan their devices with QIDs 377721 and 377732 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2022/10/stable-channel-update-for-desktop_27.html