Google has released an update for Chrome browser on Windows, Mac, and Linux to address a high-severity zero-day vulnerability (CVE-2022-4135). The vulnerability was discovered by Clement Lecigne of Google’s Threat Analysis Group.
“Google is aware that an exploit for CVE-2022-4135 exists in the wild.”, says the advisory released by Google on November 24, 2022.
CVE-2022-4135 is a heap buffer overflow vulnerability that exists in GPU. Chrome uses the GPU for video decoding and 2D rendering.
According to OWASP, A buffer overflow condition arises when a program tries to insert more data into a buffer than it can retain or to insert data into a memory location past a buffer. A buffer, in this context, is a sequential area of memory set aside for storing anything from a character string to an array of numbers. Writing outside the boundaries of a block of allocated memory can corrupt data, cause a program to crash, or even execute malicious code.
An attacker may change the execution path of an application by overwriting its memory using a heap buffer overflow, leading to unauthorized code execution or unrestricted information access.
The advisory says, “Access to bug details and links may be restricted until most users are updated with a fix. We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on but haven’t yet fixed.”
CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog.
CVE-2022-4135 is the eighth zero-day vulnerability in the Chrome browser that Google has fixed since the start of the year.
The previous zero-days were:
- CVE-2022-3723: Type Confusion in V8 (October 28th)
- CVE-2022-3075: Insufficient data validation in Mojo (September 2nd)
- CVE-2022-2856: Insufficient validation of untrusted input in Intents (August 17th)
- CVE-2022-2294: Heap-based buffer overflow vulnerability in the WebRTC (Web Real-Time Communications) component (July 4th)
- CVE-2022-1364: Type confusion in V8 (April 14th)
- CVE-2022-1096: Type confusion flaw in the Chrome V8 JavaScript engine (March 25th)
- CVE-2022-0609: Use-after-free in Animation (February 14th)
Affected versions
Google Chrome versions prior to 107.0.5304.121 are affected by this vulnerability.
Mitigation
Customers are requested to upgrade to the latest stable channel version 107.0.5304.121 for Mac and Linux and 107.0.5304.121/.122 for Windows. For more information, please refer to the Google Chrome security page.
The customer can check for the updates by navigating to Chrome Menu > Help > About Google Chrome. The web browser automatically checks for the latest updates and installs them when launched.
Microsoft has released the Microsoft Edge Stable Channel (Version 107.0.1418.62) and Microsoft Edge Extended Stable Channel (Version 106.0.1370.86) addressing the latest security updates of the Chromium project. This update contains a patch for the latest zero-day exploit of the Chromium project (CVE-2022-4135).
Qualys Detection
Qualys customers can scan their devices with QIDs 377794 and 377798 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://chromereleases.googleblog.com/2022/11/stable-channel-update-for-desktop_24.html
https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security#november-28-2022