Google’s Handling of Multiple Zero-Day Exploits Raises Questions

Google Patches Chrome’s Fifth Zero-Day of the Year

Google has released a stable channel update that includes patches for 11 vulnerabilities discovered in Chrome, the fifth actively exploited zero-day vulnerability detected this year. The bug, tracked as CVE-2022-2856 and rated high on the Common Vulnerability Scoring System (CVSS), is associated with ‘insufficient validation of untrusted input in Intents.’ Google has credited Ashley Shen and Christian Resell from its Google Threat Analysis Group (TAG) with detecting the zero-day bug that could allow for arbitrary code execution on July 19.

Holding back details of the bug is a wise move to give the buffer time to rollout security updates to vulnerable systems as attackers are quick to exploit these types of flaws, said Satnam Narang, senior staff research engineer at cybersecurity firm Tenable. While the majority of the fixes in the update are for vulnerabilities rated as high or medium risk, Google also patched a use-after-free bug tracked as CVE-2022-2852, a critical issue in FedCM reported by Sergei Glazunov of Google Project Zero on Aug. 8.

Risks Associated with Insufficient Validation Input Flaws

Insufficient validation input is linked to input validation, which is often used to check hazardous inputs to ensure their safety for processing within the code or while communicating with other components. The rest of the application receives unintended input, which results in altered control flow, arbitrary control of resources, or code execution when software does not verify input properly.

Intents are a deep linking feature on Android devices within the Chrome browser that are responsible for replacing URI schemes. Branch, a company that presents various linking alternatives for mobile applications, explains that developers must use their intention string instead of assigning window.location or an iframe.src to the URI scheme. Intents “adds complexity,” but it “handles the case of the mobile app not being installed” within links, according to the post.

Current Trends of Zero-Day Vulnerabilities

The zero-day patch is Google‘s fifth Chrome flaw that is currently subject to exploitation this year. In May and July, respectively, the company fixed an actively exploited heap buffer overflow flaw tracked as CVE-2022-2294 and a separate buffer overflow flaw tracked as CVE-2022-2856 in the WebRTC engine. The V8 JavaScript engine on which attackers had already pounced was also affected by the Type Confusion Flaw CVE-2022-1364, which was patched by Google in April. In February, a use-after-free flaw was fixed; meanwhile, North Korean hackers were exploiting it weeks before it was discovered and fixed, which was first of this year’s Chrome zero-days tracked as CVE-2022-0609 in the Animation component.

Editorial and Recommendations

Zero-day vulnerabilities pose a significant threat to internet security, as it implies attackers can hide malware in common software applications for which user patches are not available. Vendors and users must use tools that can identify whether these type of zero-day exploits are in use and, if discovered, install or use a temporary patch to keep themselves safe while the company rolls out an official update. Meanwhile, software developers must incorporate validation input functionality into their software while developing it. Every government and organization must maintain an active defense program and regular security training programs to enhance cybersecurity awareness.

Companies and organizations must prioritize their zero-day vulnerabilities. Ensure software patching is up to date and pay keen attention to third-party programs and plugins since cybercriminals often target these systems to execute their attacks. Employ security solutions such as anti-phishing software, anti-malware detection, and intrusion prevention and detection systems. In conclusion, since attackers frequently search for zero-day vulnerabilities, companies must implement appropriate security measures and cybersecurity practices before cyber attackers strike.