Google has rolled out patches for its chrome browser addressing multiple vulnerabilities, including a high severity zero-day vulnerability (CVE-2022-2856). Google addressed the vulnerability stating, “Google is aware that an exploit for CVE-2022-2856 exists in the wild”. The security update is currently rolling out for Windows, Mac and Linux Operating systems.
Google described the zero-day (CVE-2022-2856) as a high-severity security issue due to “insufficient validation of untrusted input in Intents”. Chrome Intent is a feature that allows launching applications and web services directly from a web page. Google has not provided further details of which apps and data can be maliciously manipulated by this vulnerability. Insufficient input validation vulnerabilities usually lead to issues like Buffer Overflow, directory traversal, SQL injection etc.
The current update addresses the fifth zero-day vulnerability in Chrome since the start of the year. The previous zero days were as follows:
- CVE-2022-0609 – Use-after-free in Animation
- CVE-2022-1096 – Type confusion in V8
- CVE-2022-1364 – Type confusion in V8
- CVE-2022-2294 – Heap buffer overflow in WebRTC
Apart from the zero-day Google has patched 10 additional security bugs with the current update. The complete list of bugs fixed in the latest update is as follows:
- CVE-2022-2852: Use after free in FedCM.
- CVE-2022-2854: Use after free in SwiftShader.
- CVE-2022-2855: Use after free in ANGLE.
- CVE-2022-2857: Use after free in Blink.
- CVE-2022-2858: Use after free in Sign-In Flow.
- CVE-2022-2853: Heap buffer overflow in Downloads.
- CVE-2022-2856: Insufficient validation of untrusted input in Intents. (Zero-day.)
- CVE-2022-2859: Use after free in Chrome OS Shell.
- CVE-2022-2860: Insufficient policy enforcement in Cookies.
- CVE-2022-2861: Inappropriate implementation in Extensions API.
Affected Products:
Google Chrome versions prior to 104.0.5112.101 (for Mac and Linux) and prior to 104.0.5112.102/101 (for Windows).
Mitigation
Google has updated the stable channel to 104.0.5112.101 for Mac and Linux and 104.0.5112.102/101 for Windows. The security update will roll out over the coming days/weeks.
One can perform a manual update by going to Settings > Help > About Google Chrome. After the download is complete restart chrome to apply the security update.
Microsoft has released the latest Microsoft Edge Stable Channel (Version 104.0.1293.63). This update contains a fix for CVE-2022-2856, which has been reported by the Chromium team as having an exploit in the wild.
Qualys Detection
Qualys customers can scan their network with QID 376828 and 376829 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage on the latest vulnerabilities.
References and Sources:
https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_16.html
https://thehackernews.com/2022/08/new-google-chrome-zero-day.html