A Long Year for Chrome
Google has recently addressed a critical vulnerability in its Chrome browser, marking the fifth actively exploited zero-day flaw that the tech giant has had to patch this year. This latest bug, known as CVE-2022-2856, was part of a series of fixes rolled out in a stable channel update this last Wednesday.
The flaw, which has been rated as high on the Common Vulnerability Scoring System (CVSS), is linked to “insufficient validation of untrusted input in Intents,” as per Google’s advisory. This essentially means that the software wasn’t adequately checking the safety of certain inputs, potentially allowing an attacker to manipulate the input in a way that the rest of the application wouldn’t expect.
The Impact – Chrome is Popular
Ultimately, this could lead to unintended control flow, arbitrary control of a resource, or even arbitrary code execution. The discovery of the flaw was credited to Ashley Shen and Christian Resell from Google’s Threat Analysis Group (TAG), who reported the issue on July 19. Alongside this, Google also released patches for ten other Chrome-related issues.
The term “Intents” refers to a deep linking feature within the Chrome browser on Android devices, which replaced the previously used URI schemes. This feature adds complexity but also automatically handles the case of a mobile app not being installed within links. In the world of cybersecurity, it’s common practice to withhold specific details about a bug until it has been widely patched. This strategy is aimed at preventing threat actors from further exploiting the vulnerability.
The Research
Satnam Narang, a senior staff research engineer at cybersecurity firm Tenable, supports this approach, stating that publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have severe consequences.
The latest update also includes fixes for other vulnerabilities rated as high or medium risk, including a critical bug known as CVE-2022-2852. This bug, reported by Sergei Glazunov of Google Project Zero on Aug. 8, is a use-after-free issue in FedCM, a system that provides a use-case-specific abstraction for federated identity flows on the web.
This year has seen Google patch several zero-day vulnerabilities in Chrome under active attack. These include a heap buffer overflow flaw in WebRTC, a separate buffer overflow flaw, a type confusion flaw affecting Chrome’s use of the V8 JavaScript engine, and a use-after-free flaw in Chrome’s Animation component. The latter was exploited by North Korean hackers weeks before it was discovered and patched.