Google is rolling out an emergency, out-of-band patch for another zero-day vulnerability in its flagship browser Chrome. Tracked as CVE-2022-4262, the vulnerability affects all browser versions on all platforms.
More importantly, the exploit for the vulnerability, a type confusion bug in Chrome’s V8 engine, exists in the wild. This is why patching the vulnerability, reported on November 29 by Clement Lecigne of Google’s Threat Analysis Group, should be prioritized.
Like the three other type confusion vulnerabilities found in Chrome in 2022, this one also threatens systems with vulnerable applications with out-of-bounds system memory access by threat actors.
â€œIt is very likely that this vulnerability allows remote code execution, which means that a threat actor could cause any script or malware payload to be executed on the victims’ device.â€
The Center for Internet Security (CIS) noted that successful exploitation of CVE-2022-4262 can enable threat actors to arbitrarily execute code in the context of the logged-on user. A hacker can install programs, view, change, delete data, or create new accounts with full user rights.
Walters added, â€œIn most cases, attackers exploit such vulnerabilities when users visit their malicious site. Then they steal data from the affected devices, or create botnets to perform distributed denial-of-service (DDoS) attacks, mine cryptocurrency or send spam.â€
CVE-2022-4262 is the ninth zero-day vulnerability discovered and patched in 2022. It is also the fourth vulnerability in the V8 engine, which, besides Chrome, is used across most Chromium-based web browsers, including Brave, Opera, Vivaldi and Microsoft Edge.
All nine Chrome zero-day bugs are listed below:
|Type||Resides In||CVSS Score||Month of Patch Release|
|CVE-2022-0609Opens a new window||Use-after-free||Animation||8.8||
|Type confusion||V8 engine||8.8||March 2022|
|CVE-2022-1364Opens a new window||Type confusion||V8 engine||8.8||
|Heap buffer overflow||WebRTC||8.8||July 2022|
|CVE-2022-2856Opens a new window||Insufficient validation of untrusted input||Intents||6.5||
|Insufficient data validation||Mojo||9.6||September 2022|
|CVE-2022-3723Opens a new window||Type confusion||V8 engine||8.8||
|Heap buffer overflow||GPU component of Chrome||9.6||November 2022|
|CVE-2022-4262||Type confusion||V8 engine||NA||
CIS wrote in a blog postOpens a new window that the risk from CVE-2022-4262 is â€˜high’ to large, medium, and small government entities and businesses and that it poses a ‘low’ risk to individuals/home users.
â€œGoogle will not give details about the vulnerability until most users’ browsers are updated, and rightly so. The severity of this vulnerability can hardly be overstated. That’s why we recommend that you update your Chrome browser as soon as possible.â€
To update Chrome to version 108.0.5359.94, click on the three vertical ellipses in the top right corner. Go to Settings > About Chrome, where the browser automatically checks for updates. The application will prompt users to restart Chrome after updates are installed.
â€œIt is worth noting that patching browsers can be problematic though, because people do not like rebooting their browsers, which is often required as part of an update. That’s why the best practice for organizations is to automate patching for third-party apps, including browsers, and ensure their IT teams can force reboots remotely in a way that is comfortable to end users,â€ Walters advised.
Image source: Shutterstock