First zero-day vulnerability of Google Chrome this year actively exploited in wild

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

Google released a stable channel update for their Chrome browser that contains a zero-day vulnerability and is actively being exploited-in-wild. This is the first zero-day bug reported in Chrome browser this year.

A Use-After-Free (UAF) vulnerability which has been assigned CVE-2022-0609 affects the Animation component that may allow attackers to corrupt data, crash program or execute arbitrary code on computers running unpatched Chrome versions or escape the browser’s security sandbox. Successful exploitation of this issue may lead to data corruption, program crash or arbitrary code execution. In recent browser versions, a number of controls have been introduced that make exploitation of these use after free vulnerabilities much harder but despite this, they still seem to persist.

In addition to the zero-day bug, this update fixed seven other security vulnerabilities as mentioned in the table below. We recommend organizations to update to Chrome 98.0.4758.102 for Windows, Mac and Linux to avoid exploitation and mitigate any potential threats.

Potential MITRE ATT&CK TTPs are:

TA0040 – Impact

TA0001 – Initial Access

TA0002 – Execution

T1499- Endpoint Denial of Service

T1189- Drive-by Compromise

T1190- Exploit-public facing application

T1203- Exploitation for Client Execution

T1499.004- Endpoint Denial of Service: Application or System Exploitation

Vulnerability Details

Patch Link

https://www.google.com/intl/en/chrome/?standalone=1

References

https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html