Google Zero Day Vulnerability (CVE-2022-1096) Affects 3.2 Billion Chrome Users

Summary

Category: Vulnerability IntelligenceVulnerability Class: Zero-Day VulnerabilityCVE ID: CVE-2022-1096CVSS:3.0 Score: To be assigned

Executive Summary

  • Google released a security update to patch a critical zero-day vulnerability in Windows, Mac, and Linux operating systems with Chrome 99.0.4844.84.
  • The zero-day vulnerability tracked as CVE-2022-1096, is a type of confusion vulnerability in the Chrome V8 JavaScript engine.
  • Google claims that the vulnerability was reported by an anonymous security researcher. The technical details and exploit for this vulnerability have been kept confidential until a majority of users patch it.


Snapshot from the advisory released by Google
Snapshot from the advisory released by Google

Analysis

  • CVE-2022-1096 is a “Type Confusion” vulnerability in the V8 Chrome Javascript engine. V8 is responsible for processing JavaScript code for Chrome. 
  • Type confusion is a programming bug in which an app uses a given "type" of input to start data execution activities, but is deceived into treating the input as a different "type." 
  • The most critical type confusion vulnerabilities can allow arbitrary code execution. Hence the attackers can confuse the V8 engine, enabling it to perform unauthorized actions like reading and writing data on the victim’s machine.
  • Chrome has 3.2 billion users, hence the exploit to this vulnerability has been kept confidential and has not been released on surface web or dark web forums. 
  • Google stated that it will release more information about this vulnerability once a majority of its users install the update, thereby patching the vulnerability.
  • This vulnerability also affects Chromium browsers like Microsoft Edge and Brave. Chrome and Microsoft Edge have released auto-updates to fix the vulnerability.

Impact & Mitigation

ImpactMitigation
This is a critical vulnerability that could be exploited by threat actors to target ~3.2 billion users across the world. The previous zero-day vulnerability reported by Google (CVE-2022-0609) was actively exploited by North Korean threat actors before it was patched.Update Chrome to 9.0.4844.84  and version Microsoft Edge to 99.0.1150.55. Refer to the Google Security Advisories: Countering threats from North Korea Chrome Releases: Stable Channel Update for Desktop 

References

Table of Contents

Request an easy and customized demo for free