Security News > 2022 > March > Google Chrome Bug Actively Exploited as Zero-Day
Google has updated its Stable channel for the desktop version of Chrome, to address a zero-day security vulnerability that's being actively exploited in the wild.
The bug, tracked as CVE-2022-1096, is a type-confusion issue in the V8 JavaScript engine, which is an open-source engine used by Chrome and Chromium-based web browsers.
Type confusion, as Microsoft has laid out in the past, occurs "When a piece of code doesn't verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusionAlso with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution."
Google didn't provide additional technical details, as is its wont, but did say that it was "Aware that an exploit for CVE-2022-1096 exists in the wild." An anonymous researcher was credited with finding the issue, which is labeled "High-severity".
"The vulnerability was only reported on the 23rd of March, and while Google's Chrome team do tend to be fairly prompt in developing, testing and rolling patches, the idea of a patch for software deployed as widely deployed as Chrome in 48 hours is something is continue to be impressed by," he said.
CVE-2021-21148 - Feb. 4, an unnamed type of bug in V8. CVE-2021-21224 - April 20, an issue with type confusion in V8 that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
News URL
https://threatpost.com/google-chrome-bug-actively-exploited-zero-day/179161/
Related news
- Lazarus hackers used fake DeFi game to exploit Google Chrome zero-day (source)
- How to enable Safe Browsing in Google Chrome on Android (source)
- Lazarus Group Exploits Google Chrome Vulnerability to Control Infected Devices (source)
- New tool bypasses Google Chrome’s new cookie encryption system (source)
- Google: 70% of exploited flaws disclosed in 2023 were zero-days (source)
- Google to let businesses create curated Chrome Web Stores for extensions (source)
- Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine (source)
- Google fixes two Android zero-days used in targeted attacks (source)
- Google says “Enhanced protection” feature in Chrome now uses AI (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-07-23 | CVE-2022-1096 | Type Confusion vulnerability in Google Chrome Type confusion in V8 in Google Chrome prior to 99.0.4844.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |
| 2021-04-26 | CVE-2021-21224 | Type Confusion vulnerability in multiple products Type confusion in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | 8.8 |
| 2021-02-09 | CVE-2021-21148 | Out-of-bounds Write vulnerability in multiple products Heap buffer overflow in V8 in Google Chrome prior to 88.0.4324.150 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. | 8.8 |