Google Chrome’s second zero-day in 2022

Threat Advisories

Google Chrome’s second zero-day in 2022

THREAT LEVEL: Red.

For a detailed advisory, download the pdf file here

A zero-day vulnerability has been discovered in Google Chrome versions prior to 99.0.4844.84. A type of confusion vulnerability tracked as CVE-2022-1096, is acknowledged to be exploited in the wild.

This vulnerability affects the V8 component, which is used to parse JavaScript code in Google Chrome. A type of confusion refers to code errors in which an app begins data execution processes with a given “type” of input but is deceived into considering the input as a different “type”.  The “type confusion” causes logical mistakes in the memory of the software. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code in the context of the browser.

We recommend organizations update to Chrome 99.0.4844.84 for Windows, Mac and Linux to avoid exploitation and mitigate any potential threats.

Potential MITRE ATT&CK TTPs are:

TA0042: Resource Development

T1588: Obtain Capabilities

T1588.006: Obtain Capabilities: Vulnerabilities

TA0001: Initial Access

T1190: Exploit Public-Facing Application

Vulnerability Details

Patch Link

https://www.google.com/intl/en/chrome/?standalone=1

References

https://chromereleases.googleblog.com/2022/03/stable-channel-update-for-desktop_25.html

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-1096