Zero-Day hole exploited in the wild – Google Chrome

Topic

New Reply

FYI

1) Google fixes fifth Chrome zero-day bug exploited this year
———————————————————-
https://www.bleepingcomputer.com/news/security/google-fixes-fifth-chrome-zero-day-bug-exploited-this-year/

“Google has released a security update for the Chrome browser that addresses close to a dozen vulnerabilities, including a zero-day flaw that is being exploited in the wild.”

“The most recent one is tracked as CVE-2022-2856 and it is described as a high-severity security issue due to “insufficient validation of untrusted input in Intents,” a feature that enables launching applications and web services directly from a web page.

Bad input validation in software can serve as a pathway to overriding protections or exceeding the scope of the intended functionality, potentially leading to buffer overflow, directory traversal, SQL injection, cross-site scripting, null byte injection, and more.

The vulnerability was discovered and reported by Ashley Shen and Christian Resell, both members of the Google Threat Analysis Group (TAG).

“Google is aware that an exploit for CVE-2022-2856 exists in the wild,” explains the internet giant in the security advisory published yesterday.”

2) Chrome browser gets 11 security fixes with 1 zero-day – update now!
———————————————————————-
https://nakedsecurity.sophos.com/2022/08/17/chrome-browser-gets-11-security-fixes-with-1-zero-day-update-now/

“The latest update to Google’s Chrome browser is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or to 104.0.5112.102 (Windows).

According to Google, the new version includes 11 security fixes, one of which is annotated with the remark that “an exploit [for this vulnerability] exists in the wild”, making it a zero-day hole.

The name zero-day is a reminder that there were zero days on which even the most well-informed and proactive user or sysadmin could have been patched ahead of the Bad Guys.”

Folks should also watch out for follow-up updates/fixes on other Chromium-based browsers including Microsoft Edge:
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security

HTH.

1 user thanked author for this post.

Alex5723

Reply | Quote

Replies

Release notes for Microsoft Edge Stable Channel
———————————————–
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-stable-channel

“Version 104.0.1293.63 : August 19

Important

This update contains a fix for CVE-2022-2856, which has been reported by the Chromium team as having an exploit in the wild.”

HTH.

1 user thanked author for this post.

Alex5723

Reply | Quote

Brave already up-to-date

Reply | Quote

The CVE-2022-0609 zero-day issue that was resolved today is defined as a “Use after free in Animation” and was assigned a High severity level. Clément from Google’s Threat Analysis Group uncovered this vulnerability. Data Controlling Language (DCL) is one of these languages, and it is used to edit and retrieve data by creating specialized SQL queries using the grant command. It includes two commands: grant and revokes, which are used to grant and revoke particular rights (as specified by query) to users in a multi-user database.
Attackers frequently leverage free flaws to execute arbitrary code on machines running unpatched Chrome versions or to circumvent the browser’s security sandbox.

While Google stated that it has identified attacks leveraging this zero-day vulnerability, it did not provide any more information about these occurrences or technical specifics about the issue. Access to problem details and links may be restricted until the majority of users have received a remedy. In addition to the zero-day vulnerability, this Google Chrome version patched seven additional security flaws, with all but one classed as ‘High’ severity.

1 user thanked author for this post.

Alex5723

Reply | Quote