Google’s Ongoing Battle: Patching Chrome’s Fifth Zero-Day of the Year

Google Patches Chrome‘s Fifth Zero-Day of the Year

The Vulnerability

Google has recently patched the fifth actively exploited zero-day vulnerability discovered in Chrome this year. The bug, tracked as CVE-2022-2856, is rated as high on the Common Vulnerability Scoring System (CVSS) and is associated with “insufficient validation of untrusted input in Intents.” This flaw could potentially allow for arbitrary code execution and is currently under active attack.

Intents are a deep linking feature on the Android device within the Chrome browser that replaced URI schemes. Developers need to use their intent string to handle this process in Chrome. However, insufficient validation of untrusted input in Intents can lead to altered control flow, arbitrary control of a resource, or arbitrary code execution. This makes it critical for Google to release a patch to address this vulnerability.

A Wise Strategy

Google follows a strategy of not disclosing specific details of the bug until it is widely patched. This approach aims to prevent threat actors from taking further advantage of the vulnerability. Satnam Narang, a senior staff research engineer at cybersecurity firm Tenable, commends this strategy, stating that publicizing details on an actively exploited zero-day vulnerability just as a patch becomes available could have dire consequences. It takes time to roll out security updates to vulnerable systems, and attackers are always waiting to exploit these types of flaws.

Furthermore, Google‘s decision to hold back information about the vulnerability is also important because other Linux distributions and browsers, such as Microsoft Edge, include code based on Google‘s Chromium Project. If an exploit for this vulnerability is released, these systems could also be affected. The delay in disclosing specific details provides a buffer for defenders to implement necessary security measures.

Prior Zero-Day Patches

This latest zero-day patch is the fifth one that Google has addressed in Chrome this year. In July, a heap buffer overflow flaw in WebRTC was patched. Earlier in May, a separate buffer overflow flaw was fixed. In April, a type confusion flaw affecting Chrome‘s use of the V8 JavaScript engine was patched. And in February, a use-after-free flaw in Chrome‘s Animation component was fixed.

It is worth noting that the February zero-day vulnerability had been exploited by North Korean hackers before it was discovered and patched. These instances highlight the importance of prompt patching and proactive measures in cybersecurity.

Conclusion

Google‘s swift response to patch zero-day vulnerabilities in Chrome is commendable. The constant discovery and exploitation of such vulnerabilities highlight the persistent efforts of threat actors to target popular software and gain unauthorized access. It is essential for users and organizations to stay vigilant and proactive about implementing security patches and measures to mitigate the risk of exploitation.

While software companies play a crucial role in addressing vulnerabilities, users must also take responsibility for their online security. This includes regularly updating software and using strong, unique passwords. Internet security is a collective effort, and continued diligence is necessary to protect against evolving threats.