Executive Summary

• Google released a security update to patch a critical zero-day vulnerability in Windows, Mac, and Linux operating systems with Chrome 99.0.4844.84.
• The zero-day vulnerability tracked as CVE-2022-1096, is a type of confusion vulnerability in the Chrome V8 JavaScript engine.
• Google claims that the vulnerability was reported by an anonymous security researcher. The technical details and exploit for this vulnerability have been kept confidential until a majority of users patch it.

Analysis

• CVE-2022-1096 is a “Type Confusion” vulnerability in the V8 Chrome Javascript engine. V8 is responsible for processing JavaScript code for Chrome. 
• Type confusion is a programming bug in which an app uses a given "type" of input to start data execution activities, but is deceived into treating the input as a different "type." 
• The most critical type confusion vulnerabilities can allow arbitrary code execution. Hence the attackers can confuse the V8 engine, enabling it to perform unauthorized actions like reading and writing data on the victim’s machine.
• Chrome has 3.2 billion users, hence the exploit to this vulnerability has been kept confidential and has not been released on surface web or dark web forums. 
• Google stated that it will release more information about this vulnerability once a majority of its users install the update, thereby patching the vulnerability.
• This vulnerability also affects Chromium browsers like Microsoft Edge and Brave. Chrome and Microsoft Edge have released auto-updates to fix the vulnerability.
  

Impact & Mitigation

References

• ^#https://en.wikipedia.org/wiki/Traffic_Light_Protocol 
• Chrome Releases: Stable Channel Update for Desktop
• Emergency Google Chrome update fixes zero-day used in attacks
• Countering threats from North Korea