Google Chrome zero-day vulnerability: All you need to know

Google released an emergency update for the Chrome desktop web browser last week. It was the seventh zero-day exploit patched by Google this year, as against 58 zero days for the whole of 2021.

A 'zero-day' includes security vulnerability, exploit and attack and is a method hackers use to attack systems with a previously unidentified vulnerability. It refers to the fact that the vendor or developer has only just learned of the flaw – which means they have “zero days” to fix it.  

7 zero-day exploits patched by Google this year 

For the seventh zero-day exploit patched by Google, identified as CVE-2022-3723, Google reported it as a type of confusion bug in the Chrome V8 JavaScript engine that was discovered and reported by analysts at Avast. The CVE programme tracks security flaws and vulnerabilities across multiple platforms.

Type confusion issues occur when a product’s code is fed with objects that aren’t verified, and using these objects without type-checking can create type confusion. In some cases, code execution can be achieved when wrong function pointers or data are fed into certain parts of a ‘codebase’.

This particular exploit allows attackers to potentially go through sensitive app data stored within the device. In the past, malicious actors have leveraged this vulnerability on programs like PHP, Adobe Flash, and Mozilla Firefox. 

On September 8, Google rolled out an update for its sixth zero-day vulnerability found in the Chrome web browser. Tracked as CVE-2022-3075, the tech major issued the update for the desktop versions of the browser, including Windows, Mac, and Linux and also credited an anonymous researcher with discovering this vulnerability. 

Without going into details of the vulnerability for obvious reasons, Google said that CVE-2022-3075 exists due to “insufficient data validation” in the runtime libraries that Chromium, the open-source browser Chrome is based on. These libraries, collectively known as Mojo, enable Chrome or any other app/program that runs on it for multiple functions, mainly to carry out inter- and intra-process communication.  

In mid-August, Google fixed its fifth zero day and 11 other vulnerabilities. The company described the exploited flaw - tracked as CVE-2022-2856 and called it a high-severity security issue due to “insufficient validation of untrusted input in Intents,” a feature that enables launching applications and web services directly from a web page. 

Bad input validation in software can serve as a pathway to overriding protections or exceeding the scope of the intended functionality, potentially leading to buffer overflow, directory traversal, SQL injection, cross-site scripting, null byte injection, and more. 

The fourth zero-day, which came to light in early July, has been linked to Israeli spyware company Candiru and used in targeted attacks aimed at entities in the Middle East. Announced on July 4, Google released Chrome 103.0.5060.114 for Windows to address a high-severity zero-day Chrome vulnerability, tracked as CVE-2022-2294, that was actively exploited in the wild, as per the advisory published by Google.

The flaw is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component. The vulnerability was reported by Jan Vojtesek from the Avast Threat Intelligence team on July 1, 2022. 

On April 14, Google fixed its third zero-day for 2022. It has released Chrome 100.0.4896.127 for Windows, Mac, and Linux to address a high-severity zero-day, tracked as CVE-2022-1364 that is actively exploited by threat actors in attacks. 

This zero-day again is a type confusion issue that resided in the V8 JavaScript engine that was reported by Google’s Threat Analysis Group on April 13, 2022. Shane Huntley, Google’s Threat Analysis Group chief, highlighted that the flaw was quicky addressed by the company. “Google is aware that an exploit for CVE-2022-1364 exists in the wild,” said the security advisory.  

On March 25, Google patched the second actively exploited zero-day vulnerability in its Chrome browser this year. Most of the details about the security vulnerability were left unpublished by Google, but the company confirmed it was a type confusion flaw, tracked as CVE-2022-1096, found in the V8 JavaScript engine.

“Access to bug details and links may be kept restricted until a majority of users are updated with a fix,” said Google Chrome in a blog post. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed.”

February 14 saw a fix for the first of 2022’s Chrome zero-days, a use-after-free flaw in Chrome’s Animation component tracked as CVE-2022-0609 that already was under attack. Successful exploitation of this issue may lead to data corruption, program crash or arbitrary code execution. Later, it was revealed that North Korean hackers were exploiting the flaw weeks before it was discovered and patched.

Google Chrome remains most vulnerable

Notably, with 303 vulnerabilities and a cumulative total of 3,159 vulnerabilities as of 2022, Google Chrome is the most vulnerable browser available, according to a report by Atlas VPN, covering January 1 to October 5.

Mozilla's Firefox browser is in second place for vulnerabilities, with 117 of them. Microsoft Edge had 103 vulnerabilities as of October 5, 61% more than the entire year of 2021. Overall, it has had 806 vulnerabilities since its release. Next is Safari, which has some of the lowest levels of vulnerabilities. For example, in the first three quarters of 2022, it had 26 vulnerabilities, and its number for cumulative vulnerabilities 1,139 since its release, the report said.

Because Google Chrome updates fix a flaw already exploited by threat actors, it is recommended for users to switch to the latest version of the browser as soon as possible. To perform the updates, users should go to the browser’s settings, select “About Chrome” and let the browser’s internal checker scan for available updates. After the download is complete, all they need to do is, restart the program to apply the security update, said Google.