Google confirms Chrome Zero-Day #5 as CVE-2022-2856 attacks begin


August 20 update below. This article was originally published on August 18

If you’re a Chrome browser user, whether on Windows, Mac, or Linux, Google has some bad news for you. Attackers are already exploiting a high-impact security vulnerability that could lead them to take control of a system resource or execute arbitrary code. This is the fifth day zero that Google has faced in 2022 so far.

MORE FORBESNew smartphone threat brings ransomware to Android and targets Gmail cookies

What is Google Chrome CVE-2022-2856 Zero Day?

In an advisory published on August 16, Srinivas Sista from the Google Chrome team confirms that a total of eleven security vulnerabilities, ranging from medium to critical impact, have been fixed in the latest Chrome update. One of them, CVE-2022-2856, is the zero-day in question. “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” Sista said.

Few details are made public about the zero-day vulnerability until a majority of users have had time to ensure the update is installed and activated.

However, Google confirms that CVE-2022-2856 was reported by hackers from Google’s Threat Analysis Group, Ashley Shen and Christian Resell, on July 19. This is, according to the advisory, “insufficient validation of untrusted inputs in Intents”. ”

Which will be as clear as mud to most users.

MORE FORBESCisco Hacked: Ransomware Gang Claims It Has 2.8GB of Data

All I can add, at this point, in an attempt to clarify, is that the “intents” mentioned are how Chrome handles user input. It is possible, although again I cannot confirm the precise technical details of CVE-2022-2856, that by creating a malicious entry that prevents Chrome from validating it, potentially leading to the execution of arbitrary code .

What steps should you take to secure Google Chrome?

What I can say with confidence is that you should check that your browser has been updated to the latest version of Chrome as soon as possible. For Mac and Linux users it will be Chrome 104.0.5112.101, while for Windows users it could be 104.0.5112.101 or 104.0.5112.102, just for additional unwanted confusion.

While Chrome should update automatically, it is recommended to force the update check to be sure. You also need to take an extra step before your browser is protected from Zero Day and other disclosed threats.

Navigate to the About Google Chrome entry in the browser menu, which will force a search for any available update. Once this update is downloaded and installed, a relaunch button will become available. After restarting the browser, the update will activate and protect you from Google Chrome’s fifth day zero of the year.

MORE FORBESMicrosoft confirms high impact attacks against Windows 10, 11 and servers – Update now

As other Chromium engine-based browsers will likely be affected by the same vulnerabilities, expect updates for Brave, Edge, and Opera to follow in due course.

August 20 update:

CISA adds Chrome zero-day to catalog of known exploited vulnerabilities

Although almost all mainstream media coverage, not just tech publications, has focused on the recently patched Apple iOS and macOS zero-days, that doesn’t mean that Google Chrome’s suddenly becomes irrelevant. The fact that the US Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2022-2856 to the “catalogue of known exploited vulnerabilities” is proof of this. This list of vulnerabilities known to be exploited by real-world threat actors comes with a strong recommendation from CISA to apply available patches as soon as possible. Needless to say, but I will anyway, the two Apple vulnerabilities (CVE-2022-32893 and CVE-2022-32894) are also included in this latest CISA catalog update.

Browser security goes beyond the issue of vulnerabilities

However, it’s not just vulnerabilities, or even zero-day vulnerabilities, that the security-conscious Google Chrome user should be aware of. In early August, I reported how a cybercrime group called SharpTongue, which allegedly has ties to another group, Kimsuky, which CISA reports is likely to be “charged by the North Korean regime with a world of intelligence collection”, was bypassing the need to collect credentials in order to spy on Gmail messages. The SHARPEXT attack could even read emails from users who had two-factor authentication in place. It handles this by harvesting authentication cookies in what’s called an Adversary-in-the-middle (AiTM) attack.

SHARPEXT malware comes through, and here’s the point “not just vulnerabilities”, a malicious browser extension. In addition to Chrome, the campaign targeted Edge (based on the same Chromium engine) and a little-known client in the West called Whale, which appears to be used in South Korea. New Kaspersky’s research shed light on the whole browser extension security problemand it’s not just limited to Chromium-based browsers.

Kaspersky study reveals extent of malicious browser extension problem

According to Kaspersky research, in the first six months of 2022 alone, some 1,311,557 users attempted to download malicious or unwanted extensions. This, dear reader, represents a 70% increase from the number similarly affected throughout 2021. While serving unwanted ads has been the most common target of these browser extensions, it is not everything: Extensions with a malware payload were the second most common. Indeed, between January 2020 and June 2022, Kaspersky researchers claim that some 2.6 million individual users were attacked by such malicious extensions.

Check that your Chromium-based browser is up-to-date and patched

And finally, I mentioned in the original Chrome update post that other browsers will release updates in due course. These all now seem to be in place. Refer to the images below to see the latest build numbers for Brave, Edge, and Opera.


Comments are closed.