Google has updated its Stable channel for the desktop version of Chrome, to address a zero-day security vulnerability that’s being actively exploited in the wild.
The bug, tracked as CVE-2022-1096, is a type-confusion issue in the V8 JavaScript engine, which is an open-source engine used by Chrome and Chromium-based web browsers. Type confusion, as Microsoft has laid out in the past, occurs “when a piece of code doesn’t verify the type of object that is passed to it, and uses it blindly without type-checking, it leads to type confusion…Also with type confusion, wrong function pointers or data are fed into the wrong piece of code. In some circumstances this can lead to code execution.”
Google didn’t provide additional technical details, as is its wont, but did say that it was “aware that an exploit for CVE-2022-1096 exists in the wild.” An anonymous researcher was credited with finding the issue, which is labeled “high-severity” (no CVSS score was given).
The lack of any further information is a source of frustration to some.
“As a defender, I really wish it was more clear what this security fix is,” John Bambenek, principal threat hunter at Netenrich, said via email. “I get permission-denied errors or ‘need to authenticate,’ so I can’t make decisions or advise my clients. A little more transparency would be beneficial and appreciated.”
Emergency Patch; Active Exploit
The internet giant has updated the Stable channel to 99.0.4844.84 for Chrome for Windows, Mac and Linux, according to the its security advisory. Microsoft, which offers the Chromium-based Edge browser, also issued its own advisory. It’s unclear whether other offerings built in V8, such as the JavaScript runtime environment Node.js, are also affected.
The patch was issued on an emergency basis, likely due to the active exploit that’s circulating, researchers noted.
“The first thing which stood out to me about this update is that it only fixes a single issue,” Casey Ellis, founder and CTO at Bugcrowd, noted by email. “This is pretty unusual for Google. They typically fix multiple issues in these types of releases, which suggests that they are quite concerned and very motivated to see fixes against CVE-2022-1096 applied across their user-base ASAP.”
He also commented on the speed of the patch being rolled out.
“The vulnerability was only reported on the 23rd of March, and while Google’s Chrome team do tend to be fairly prompt in developing, testing and rolling patches, the idea of a patch for software deployed as widely deployed as Chrome in 48 hours is something is continue to be impressed by,” he said. “Speculatively, I’d suggest that the vulnerability has been discovered via detection of active exploitation in the wild, and the combination of impact and potentially the malicious actors currently using it contributed to the fast turnaround.”
V8 Engine in the Crosshairs
The V8 engine has been plagued with security bugs and targeted by cyberattackers many times in the last year:
Last year delivered a total of these 16 Chrome zero days:
- CVE-2021-21148 – Feb. 4, an unnamed type of bug in V8
- CVE-2021-21224 – April 20, an issue with type confusion in V8 that could have allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
- CVE-2021-30551 –- June 9, a type-confusion bug within V8 (also under active attack as a zero-day)
- CVE-2021-30563 – July 15, another type-confusion bug in V8.
- CVE-2021-30633 – Sept. 13, an out-of-bounds write in V8
- CVE-2021-37975 – Sept. 30, a use-after-free bug in V8 (also attacked as a zero-day)
- CVE-2021-38003 – Oct. 28, an inappropriate implementation in V8
- CVE-2021-4102 – Dec. 13, a use-after-free bug in V8.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.