August 20 update below. This article was originally published on August 18
If you are a Chrome browser user, whether in the Windows, Mac or Linux version, Google has some bad news for you. Attackers are already exploiting a high-impact security vulnerability that could lead them to take control of a system resource or arbitrarily execute code. This is the fifth zero-day Google has faced in 2022 so far.
What is Google Chrome CVE-2022-2856 Zero-Day?
In an advisory published on August 16, Srinivas Sista from the Google Chrome team confirms that a total of eleven security vulnerabilities, ranging from medium impact to critical impact, have been fixed in the latest Chrome update. One of them, CVE-2022-2856, is the zero day in question. “Google is aware that an exploit for CVE-2022-2856 exists in the wild,” Sista said.
Few details are made public about the zero-day vulnerability until a majority of users have had time to ensure the update is installed and activated.
However, Google confirms that CVE-2022-2856 was reported by Google Threat Analysis Group hackers Ashley Shen and Christian Resell on July 19. This is, according to the opinion, “insufficient validation of unreliable contributions in intents”.
Which will be as clear as mud to most users.
All I can add, at this point, in an attempt to clarify, is that the “intents” mentioned are how Chrome handles user input. It is possible, although again I cannot confirm the precise technical details of CVE-2022-2856, that by creating a malicious entry that prevents Chrome from validating it, potentially leading to arbitrary code execution .
What steps should you follow to secure Google Chrome?
What I can say with confidence is that you should check that your browser has been updated to the latest version of Chrome as soon as possible. For Mac and Linux users it will be Chrome 104.0.5112.101, while for Windows users it could be 104.0.5112.101 or 104.0.5112.102, just for additional unwanted confusion.
Although Chrome should update automatically, it is recommended to force the update check to be safe. You also need to take an extra step before your browser is secured against this zero-day threat and other disclosed threats.
Navigate to the About Google Chrome entry in the browser menu, which will force a check for any available updates. Once this update is downloaded and installed, a relaunch button becomes available. After restarting the browser, the update will activate and protect you from Google Chrome’s fifth day zero of the year.
As other Chromium engine-based browsers will likely be affected by the same vulnerabilities, expect updates for Brave, Edge, and Opera to follow in due course.
August 20 update:
CISA adds Chrome zero-day to catalog of known exploited vulnerabilities
Although nearly all mainstream media coverage, not just tech publications, has focused on the recently fixed Apple iOS and macOS zero-days, that doesn’t mean that Google Chrome’s suddenly becomes irrelevant. The fact that the US Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2022-2856 to the “Known Exploited Vulnerabilities Catalog” is proof of this. This list of vulnerabilities known to be exploited by real-world threat actors comes with a strong recommendation from CISA to apply available patches as soon as possible. Needless to say, but I will anyway, the two Apple vulnerabilities (CVE-2022-32893 and CVE-2022-32894) are also included in this latest CISA catalog update.
However, it’s not just vulnerabilities, or even zero-day vulnerabilities, that the security-conscious Google Chrome user needs to be aware of. In early August, I reported how a cybercrime group called SharpTongue allegedly has ties to another group, Kimsuky, which CISA reports is likely to be “charged by the North Korean regime of a global intelligence-gathering mission,” was bypass the need to collect credentials to spy on Gmail messages. The SHARPEXT attack could even read the emails of users who had implemented two-factor authentication. It handles this by grabbing the authentication cookies in what’s called an adversary-in-the-middle (AiTM) attack.
The SHARPEXT malware comes through, and here’s the point “not just vulnerabilities”, a rogue browser extension. In addition to Chrome, the campaign targeted Edge (based on the same Chromium engine) and a little-known client in the West called Whale, which appears to be used in South Korea. New Kaspersky research has shed light on the entire browser extension security problemand it’s not just limited to Chromium-based browsers.
According to Kaspersky research, in the first six months of 2022 alone, some 1,311,557 users attempted to download malicious or unwanted extensions. This, dear reader, represents a 70% increase over the number of people similarly affected throughout 2021. While serving unwanted ads was the most common target of these browser extensions, that’s not the whole story: extensions with a malware payload were the second most common. Indeed, between January 2020 and June 2022, Kaspersky researchers claim that some 2.6 million individual users were attacked by such malicious extensions.
And finally, I mentioned in the original Chrome update article that other browsers will release updates in due course. These all seem to be in place now. Refer to the images below to see the latest version numbers of Brave, Edge, and Opera.